From 86f594509a2dec84707537839f4e716fe042c09c Mon Sep 17 00:00:00 2001 From: Tay Caliguiri Date: Wed, 6 May 2026 16:32:38 -0400 Subject: [PATCH 1/3] Add updated FSAA 11.6 schema --- .../11.6/admin/schema/fsaadc/_category_.json | 10 + .../schema/fsaadc/coretables/_category_.json | 10 + .../schema/fsaadc/coretables/overview.md | 933 ++++++++++++++++++ .../schema/fsaadc/enumeration/_category_.json | 10 + .../schema/fsaadc/enumeration/overview.md | 98 ++ .../admin/schema/fsaadc/erd/_category_.json | 10 + .../11.6/admin/schema/fsaadc/erd/overview.md | 193 ++++ .../schema/fsaadc/fkreference/_category_.json | 10 + .../schema/fsaadc/fkreference/overview.md | 77 ++ .../schema/fsaadc/functions/_category_.json | 10 + .../admin/schema/fsaadc/functions/overview.md | 229 +++++ .../fsaadc/indexreference/_category_.json | 10 + .../schema/fsaadc/indexreference/overview.md | 62 ++ .../11.6/admin/schema/fsaadc/overview.md | 158 +++ .../admin/schema/fsaadc/views/_category_.json | 10 + .../admin/schema/fsaadc/views/overview.md | 637 ++++++++++++ .../11.6/admin/schema/overview.md | 11 + 17 files changed, 2478 insertions(+) create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/_category_.json create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/coretables/_category_.json create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/coretables/overview.md create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/enumeration/_category_.json create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/enumeration/overview.md create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/erd/_category_.json create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/erd/overview.md create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/fkreference/_category_.json create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/fkreference/overview.md create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/functions/_category_.json create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/functions/overview.md create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/indexreference/_category_.json create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/indexreference/overview.md create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/overview.md create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/views/_category_.json create mode 100644 docs/accessanalyzer/11.6/admin/schema/fsaadc/views/overview.md diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/_category_.json b/docs/accessanalyzer/11.6/admin/schema/fsaadc/_category_.json new file mode 100644 index 0000000000..62e25445cc --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "File System Access Data Collector Schema", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/coretables/_category_.json b/docs/accessanalyzer/11.6/admin/schema/fsaadc/coretables/_category_.json new file mode 100644 index 0000000000..e390b2c64a --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/coretables/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Core Data Collection Tables", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/coretables/overview.md b/docs/accessanalyzer/11.6/admin/schema/fsaadc/coretables/overview.md new file mode 100644 index 0000000000..c87408e15f --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/coretables/overview.md @@ -0,0 +1,933 @@ +# Core Data Collection Tables + +All `SA_FSAA_*` tables are partitioned by `HOST INT` (FK → `SA_FSAA_Hosts.ID`) with `ON DELETE CASCADE` so that removing a host purges its data set. Within a host, identifiers (`ID`, `RightsProxyID`, etc.) are assigned by the FSAA bulk-import pipeline. + +--- + +## FSAA Tables + +### SA_FSAA_SchemaVer {#sa_fsaa_schemaver} + +**Description:** Single-row table holding the FSAA schema version string. The CREATE-Schema job clears and re-inserts the version on every run. Used by upgrades to decide whether to apply migrations. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| SchemaVer | varchar | 64 | No | | | | Schema version (current value `8.0.11`) | + +No primary key, foreign keys, or indexes. + +--- + +### SA_FSAA_Hosts {#sa_fsaa_hosts} + +**Description:** Registry of every host scanned by FSAA. One row per host. The integer `ID` is the FK target for every other FSAA table's `HOST` column. `USN`/`AccessUSN`/`ActivityUSN`/`DLPUSN` are per-scan-type Update Sequence Numbers used by the C# importer to detect deltas; the matching `*GUID` columns identify the SQLite cache that produced the last upload. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| ID | int | | No | PK | | IDENTITY(1,1) | Surrogate host ID — referenced by every FSAA table | +| HOST | nvarchar | 64 | No | | | | Host name (NetBIOS / FQDN). Has unique constraint | +| SAConsole | nvarchar | 64 | No | | | | Console host that initiated the scan | +| ScanTime | datetime | | No | | | | Time of most recent scan | +| GUID | varchar | 38 | No | | | `''` | Top-level scan correlation GUID | +| USN | int | | No | | | `-1` | Top-level Update Sequence Number for the structural scan | +| AccessUSN | int | | No | | | `-1` | USN tracking the latest Access (FSAA) data import | +| AccessGUID | varchar | 38 | No | | | `''` | Correlation GUID for the latest Access scan | +| ActivityUSN | int | | No | | | `-1` | USN tracking the latest Activity (FSAC) data import | +| ActivityGUID | varchar | 38 | No | | | `''` | Correlation GUID for the latest Activity scan | +| DLPUSN | int | | No | | | `-1` | USN tracking the latest DLP scan | +| DLPGUID | varchar | 38 | No | | | `''` | Correlation GUID for the latest DLP scan | +| LastScanHost | nvarchar | 64 | Yes | | | | Hostname of machine that performed the last scan | + +**Primary Key:** `PK_SA_FSAA_Hosts` — clustered on `(ID)` + +**Unique Constraints:** `UQ_SA_FSAA_Hosts_HOST` — unique on `(HOST)` + +--- + +### SA_FSAA_ImportHistory {#sa_fsaa_importhistory} + +**Description:** Append-only history of every successful data import for each host. One row per host per import per scan type. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host that the import covered | +| GUID | varchar | 38 | No | | | | Correlation GUID for the imported scan | +| USN | int | | No | | | | USN observed at import time | +| ScanType | varchar | 32 | No | | | | One of `Access`, `Activity`, `DLP` | +| ImportTime | datetime | | No | PK | | `CURRENT_TIMESTAMP` | When the import ran | + +**Primary Key:** `PK_SA_FSAA_ImportHistory` — clustered on `(HOST, ImportTime)` + +**Foreign Keys:** +- `FK_SA_FSAA_ImportHistory_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` + +--- + +### SA_FSAA_Trustees {#sa_fsaa_trustees} + +**Description:** Every distinct security principal observed in ACLs on a host, identified by `(HOST, ID)`. This table holds only the SID and the `TrusteeType` enumeration; human-readable name fields live in `SA_FSAA_LocalTrustees` (for local accounts) or are looked up from the AD inventory at view time. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| ID | int | | No | PK | | | Per-host trustee ID | +| SID | varchar | 184 | No | | | | Security identifier (string form, e.g. `S-1-5-21-...`) | +| TrusteeType | smallint | | No | | | | See [TrusteeType enumeration](../enumeration/overview.md#trusteetype) | + +**Primary Key:** `PK_SA_FSAA_Trustees` — clustered on `(HOST, ID)` + +**Foreign Keys:** +- `FK_SA_FSAA_Trustees_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` + +--- + +### SA_FSAA_LocalTrustees {#sa_fsaa_localtrustees} + +**Description:** Subset of `SA_FSAA_Trustees`: the local accounts and groups that exist on the scanned host (NT-style domain/name plus display name). `(HOST, ID)` is a foreign key into `SA_FSAA_Trustees`. `IsDisabled` is stored as `'Y'`/`'N'`. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Trustees.HOST | | Host partition | +| ID | int | | No | PK | FK → SA_FSAA_Trustees.ID | | Trustee ID, must exist in `SA_FSAA_Trustees` | +| NTDomain | nvarchar | 128 | Yes | | | | Domain portion of NT-style name | +| NTName | nvarchar | 256 | Yes | | | | SAM account name | +| DisplayName | nvarchar | 256 | Yes | | | | Display name | +| SID | varchar | 184 | No | | | | SID (denormalized copy from `SA_FSAA_Trustees`) | +| TrusteeType | smallint | | No | | | | See [TrusteeType enumeration](../enumeration/overview.md#trusteetype) | +| IsDisabled | varchar | 2 | No | | | | `'Y'` / `'N'` | +| USN | int | | No | | | `-1` | USN at last sighting | +| DeletedUSN | int | | Yes | | | | USN when the principal was removed (NULL = still present) | + +**Primary Key:** `PK_SA_FSAA_LocalTrustees` — clustered on `(HOST, ID)` + +**Foreign Keys:** +- `FK_SA_FSAA_LocalTrustees_ID` → `(HOST, ID) → SA_FSAA_Trustees(HOST, ID) ON DELETE CASCADE` + +--- + +### SA_FSAA_TrusteeEquivalence {#sa_fsaa_trusteeequivalence} + +**Description:** Group-membership edges between local trustees on the host. Each row is a `(group → member)` pair, where `EquivalentTrusteeID` is the group and `TrusteeID` is the member. Used to expand local-group memberships during effective-access calculations and by `SA_FSAA_LocalGroupMembersView`. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| TrusteeID | int | | No | PK | FK → SA_FSAA_Trustees.ID | | Member trustee | +| EquivalentTrusteeID | int | | No | PK | FK → SA_FSAA_LocalTrustees.ID | | Group (local trustee) the member belongs to | + +**Primary Key:** `PK_SA_FSAA_TrusteeEquivalence` — clustered on `(HOST, TrusteeID, EquivalentTrusteeID)` + +**Foreign Keys:** +- `FK_SA_FSAA_TrusteeEquivalence_TrusteeID` → `(HOST, TrusteeID) → SA_FSAA_Trustees(HOST, ID)` +- `FK_SA_FSAA_TrusteeEquivalence_EquivalentTrusteeID` → `(HOST, EquivalentTrusteeID) → SA_FSAA_LocalTrustees(HOST, ID) ON DELETE CASCADE` + +**Indexes:** +- `SA_FSAA_TrusteeEquivalence_Group_IDX` — nonclustered on `(HOST, EquivalentTrusteeID)` INCLUDE `(TrusteeID)` + +--- + +### SA_FSAA_Rights {#sa_fsaa_rights} + +**Description:** Permission-entry table. Every distinct ACL is given a `RightsProxyID`; resources that share an identical ACL share one `RightsProxyID`, deduplicating the storage cost dramatically. Each row of `SA_FSAA_Rights` is one access-control entry within an ACL: a `TrusteeID` plus its allow/deny rights (broken down by direct/inherited and by simplified bitmask vs. full Windows mask). + +The **Rights bitmask** (`AllowRights` / `DenyRights`) uses the simplified six-bit FSAA representation — see [Rights bitmask enumeration](../enumeration/overview.md#rights-bitmask). The **Mask** columns (`AllowMask` / `DenyMask`) hold the full Windows access mask (for example, `2032127 = Full Control`, `1245631 = Modify`). + +`AllowRights = DirectAllowRights | InheritedAllowRights` (and similarly for `DenyRights`); the table is created with `WITH (DATA_COMPRESSION = ROW)` on Enterprise editions because it is the largest table in the schema. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| RightsProxyID | int | | No | PK | | | Deduplication key — multiple resources may share one proxy | +| TrusteeID | int | | No | PK | FK → SA_FSAA_Trustees.ID | | The principal this ACE applies to | +| AllowRights | smallint | | No | | | `0` | Combined direct+inherited allow bits (see [Rights bitmask](../enumeration/overview.md#rights-bitmask)) | +| DenyRights | smallint | | No | | | `0` | Combined direct+inherited deny bits | +| DirectAllowRights | smallint | | No | | | | Direct (non-inherited) allow bits | +| DirectDenyRights | smallint | | No | | | | Direct deny bits | +| InheritedAllowRights | smallint | | No | | | | Inherited allow bits | +| InheritedDenyRights | smallint | | No | | | | Inherited deny bits | +| AllowMask | int | | No | | | | Full Windows allow access mask | +| DenyMask | int | | No | | | | Full Windows deny access mask | +| DirectAllowMask | int | | No | | | | Direct allow mask | +| DirectDenyMask | int | | No | | | | Direct deny mask | +| InheritedAllowMask | int | | No | | | | Inherited allow mask | +| InheritedDenyMask | int | | No | | | | Inherited deny mask | + +**Primary Key:** `PK_SA_FSAA_Rights` — clustered on `(HOST, RightsProxyID, TrusteeID)` + +**Foreign Keys:** +- `FK_SA_FSAA_Rights_TrusteeID` → `(HOST, TrusteeID) → SA_FSAA_Trustees(HOST, ID)` + +--- + +### SA_FSAA_Tags {#sa_fsaa_tags} + +**Description:** Distinct file tag values per host. Two-level deduplication: `Tags` holds the unique tag string, `TagKeys`/`TagProxies` define a multi-tag set, and `Resources.TagProxyID` references a particular set. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| TagID | int | | No | PK | | | Per-host tag ID | +| Tag | nvarchar | MAX | No | | | | Tag string (for example, an Azure Information Protection label or custom tag) | +| Source | tinyint | | No | | | `0` | Tag source | + +**Primary Key:** `PK_SA_FSAA_Tags` — clustered on `(HOST, TagID)` + +**Foreign Keys:** +- `FK_SA_FSAA_Tags_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` + +--- + +### SA_FSAA_TagKeys {#sa_fsaa_tagkeys} + +**Description:** Defines a "tag set" identity. Each `TagProxyID` represents a unique combination of tag values that one or more resources share. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| TagProxyID | int | | No | PK | | | Identifier for the tag set | + +**Primary Key:** `PK_SA_FSAA_TagKeys` — clustered on `(HOST, TagProxyID)` + +**Foreign Keys:** +- `FK_SA_FSAA_TagKeys_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` + +--- + +### SA_FSAA_TagProxies {#sa_fsaa_tagproxies} + +**Description:** Membership of `Tags` in a `TagKeys` set: each row links one tag to one tag-proxy. A resource's `TagProxyID` points at a row in `TagKeys`; joining through `TagProxies` yields the list of tags applied. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| TagProxyID | int | | No | PK | FK → SA_FSAA_TagKeys.TagProxyID | | Tag set | +| TagID | int | | No | PK | FK → SA_FSAA_Tags.TagID | | Tag in the set | + +**Primary Key:** `PK_SA_FSAA_TagProxies` — clustered on `(HOST, TagProxyID, TagID)` + +**Foreign Keys:** +- `FK_SA_FSAA_TagProxies_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` +- `FK_SA_FSAA_TagProxies_TagProxyID` → `(HOST, TagProxyID) → SA_FSAA_TagKeys(HOST, TagProxyID)` +- `FK_SA_FSAA_TagProxies_TagID` → `(HOST, TagID) → SA_FSAA_Tags(HOST, TagID)` + +--- + +### SA_FSAA_Resources {#sa_fsaa_resources} + +**Description:** The structural backbone — every share, folder, and file the DC has seen on the host, plus its parent linkage, owner, ACL pointer, gate pointer, tag pointer, sizing, timestamps, and per-scan-type tracking columns. This is the largest table in the schema by row count and is created `WITH (DATA_COMPRESSION = ROW)` on Enterprise editions. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| ID | bigint | | No | PK | | | Per-host resource ID (bigint to support very large file systems) | +| ParentResourceID | bigint | | Yes | | FK → SA_FSAA_Resources.ID | | Parent folder/share. NULL = root | +| Name | nvarchar | 2000 | No | | | | Leaf name (folder/file name; share name for shares) | +| ResourceType | tinyint | | No | | | | See [ResourceType enumeration](../enumeration/overview.md#resourcetype) | +| OwnerID | int | | Yes | | FK → SA_FSAA_Trustees.ID | | Resource owner trustee | +| RightsProxyID | int | | Yes | | | | FK-style pointer into `SA_FSAA_Rights` (no enforced FK; NULL = inherited from parent) | +| GatesProxyID | bigint | | Yes | | | | Pointer into `SA_FSAA_GatesProxy` (no enforced FK) | +| NestedLevel | int | | No | | | | Depth in the resource tree (0 = root) | +| Size | bigint | | Yes | | | | Aggregated file-content size | +| LastModified | datetime | | Yes | | | | NTFS last-modified timestamp | +| LastAccessed | datetime | | Yes | | | | NTFS last-accessed timestamp | +| Created | datetime | | Yes | | | | NTFS creation timestamp | +| TagProxyID | int | | Yes | | | | Pointer into `SA_FSAA_TagKeys` (no enforced FK) | +| AccessID | bigint | | Yes | | | | Cross-module link to the Access (FSAA) ID for this resource | +| AccessUSN | int | | Yes | | | | USN at last Access sighting | +| AccessLastSeen | datetime2 | | Yes | | | | Last time Access scan saw this resource | +| AccessLastDeleted | datetime2 | | Yes | | | | Time the resource was last marked deleted by Access | +| ActivityID | bigint | | Yes | | | | Cross-module link to the Activity (FSAC) ID for this resource | +| ActivityUSN | int | | Yes | | | | USN at last Activity sighting | +| ActivityLastSeen | datetime2 | | Yes | | | | Last time Activity scan saw this resource | +| ActivityLastDeleted | datetime2 | | Yes | | | | Time the resource was last marked deleted by Activity | +| DLPID | bigint | | Yes | | | | Cross-module link to the DLP (FSDLP) ID for this resource | +| DLPUSN | int | | Yes | | | | USN at last DLP sighting | +| DLPLastSeen | datetime2 | | Yes | | | | Last time DLP saw this resource | +| DLPLastDeleted | datetime2 | | Yes | | | | Time the resource was last marked deleted by DLP | +| USN | int | | No | | | `-1` | Structural USN — last seen in this scan | +| DeletedUSN | int | | Yes | | | | USN when the resource was deleted (NULL = still present) | + +**Primary Key:** `PK_SA_FSAA_Resources` — clustered on `(HOST, ID)` + +**Foreign Keys:** +- `FK_SA_FSAA_Resources_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` +- `FK_SA_FSAA_Resources_ParentResourceID` → `(HOST, ParentResourceID) → SA_FSAA_Resources(HOST, ID)` +- `FK_SA_FSAA_Resources_OwnerID` → `(HOST, OwnerID) → SA_FSAA_Trustees(HOST, ID)` + +**Indexes:** +- `SA_FSAA_Resources_Enum_IDX` — `(HOST, ParentResourceID)` INCLUDE `(ID, ResourceType, DeletedUSN)` +- `SA_FSAA_Resources_RightsProxyID_IDX` — `(HOST, RightsProxyID)` INCLUDE `(ID, GatesProxyID, DeletedUSN, ResourceType)` +- `SA_FSAA_Resources_GatesProxyID_IDX` — `(HOST, GatesProxyID)` INCLUDE `(ID)` +- `SA_FSAA_Resources_USN_IDX` — `(HOST, USN)` INCLUDE `(ID)` +- `SA_FSAA_Resources_ParentResourceID_Name_IDX` — `(HOST, ParentResourceID, Name)` + +--- + +### SA_FSAA_UnixRights {#sa_fsaa_unixrights} + +**Description:** POSIX permission triplet (`Mask`, owner, group) for Unix/NFS resources. One row per resource that has Unix rights. The `Mask` column stores the standard POSIX mode bits. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| ResourceID | bigint | | No | PK | FK → SA_FSAA_Resources.ID | | Resource these rights apply to | +| OwnerID | int | | No | | FK → SA_FSAA_Trustees.ID | | POSIX owner trustee | +| GroupID | int | | No | | FK → SA_FSAA_Trustees.ID | | POSIX group trustee | +| Mask | int | | No | | | | POSIX mode mask | +| USN | int | | No | | | | Update Sequence Number | + +**Primary Key:** `PK_SA_FSAA_UnixRights` — clustered on `(HOST, ResourceID)` + +**Foreign Keys:** +- `FK_SA_FSAA_UnixRights_ResourceID` → `(HOST, ResourceID) → SA_FSAA_Resources(HOST, ID) ON DELETE CASCADE` +- `FK_SA_FSAA_UnixRights_OwnerID` → `(HOST, OwnerID) → SA_FSAA_Trustees(HOST, ID)` +- `FK_SA_FSAA_UnixRights_GroupID` → `(HOST, GroupID) → SA_FSAA_Trustees(HOST, ID)` + +--- + +### SA_FSAA_Gates {#sa_fsaa_gates} + +**Description:** A "gate" is the entry point through which clients reach a resource: an SMB share, an NFS export, an NFS export policy, or an Azure Files share. Gates have their own ACLs (share permissions) separate from the resource ACLs. A gate references the underlying `ShareID` and the `FolderID` it grants access to. NFS share-level ACLs (export rules) are modeled as a separate "policy" gate referenced by `PolicyID` self-FK. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| ID | int | | No | PK | | | Per-host gate ID | +| ShareID | bigint | | Yes | | FK → SA_FSAA_Resources.ID | | Resource that represents the share root | +| FolderID | bigint | | Yes | | FK → SA_FSAA_Resources.ID | | Folder the gate grants access to | +| PolicyID | int | | Yes | | FK → SA_FSAA_Gates.ID | | Self-FK — points at the export-policy gate when this is an NFS export | +| DisplayName | nvarchar | 256 | No | | | | Share name (for example, `Public$`) | +| Path | nvarchar | 512 | Yes | | | | Local path of the share (for example, `C:\Shares\Public`) | +| NestedLevel | int | | Yes | | | | Depth from the host root | +| GateType | int | | No | | | `0` | See [GateType enumeration](../enumeration/overview.md#gatetype) | +| USN | int | | No | | | `-1` | Update Sequence Number | +| DeletedUSN | int | | Yes | | | | USN at deletion (NULL = still present) | + +**Primary Key:** `PK_SA_FSAA_Gates` — clustered on `(HOST, ID)` + +**Foreign Keys:** +- `FK_SA_FSAA_Gates_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` +- `FK_SA_FSAA_Gates_ShareID` → `(HOST, ShareID) → SA_FSAA_Resources(HOST, ID)` +- `FK_SA_FSAA_Gates_FolderID` → `(HOST, FolderID) → SA_FSAA_Resources(HOST, ID)` +- `FK_SA_FSAA_Gates_PolicyID` → `(HOST, PolicyID) → SA_FSAA_Gates(HOST, ID)` (self-FK for NFS export policies) + +--- + +### SA_FSAA_GatesProxy {#sa_fsaa_gatesproxy} + +**Description:** Many-to-many bridge from a resource to gates. A resource may be reachable through multiple shares (or no share at all). The proxy `ID` is denormalized onto `SA_FSAA_Resources.GatesProxyID`. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| ID | bigint | | No | PK | | | Proxy ID — referenced by `Resources.GatesProxyID` | +| GateID | int | | No | PK | FK → SA_FSAA_Gates.ID | | Gate that grants reach to this resource | + +**Primary Key:** `PK_SA_FSAA_GatesProxy` — clustered on `(HOST, ID, GateID)` + +**Foreign Keys:** +- `FK_SA_FSAA_GatesProxy_GateID` → `(HOST, GateID) → SA_FSAA_Gates(HOST, ID) ON DELETE CASCADE` + +**Indexes:** +- `SA_FSAA_GatesProxy_GateID_IDX` — `(HOST, GateID)` INCLUDE `(ID)` + +--- + +### SA_FSAA_Policies {#sa_fsaa_policies} + +**Description:** Local Security Authority (LSA) policies attached to a host's "policy gates" (for example, *Logon as a service*, *Allow log on locally*). Used by the `SA_FSAA_GetPolicyMembership` UDF to expand pseudo-trustees such as `NT AUTHORITY\INTERACTIVE` and `NT AUTHORITY\SERVICE` into the underlying user accounts. `PolicyID` is a foreign key into `SA_FSAA_Gates` because policies are modeled as a special gate type. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| PolicyID | int | | No | PK | FK → SA_FSAA_Gates.ID | | Policy gate (1 = INTERACTIVE, 3 = BATCH, 4 = SERVICE, 5 = TERMINAL SERVER USER) | +| TrusteeID | int | | No | PK | FK → SA_FSAA_Trustees.ID | | Trustee assigned to the policy | +| Allow | smallint | | No | | | | Allow flag (1 = granted, 0 = denied) | + +**Primary Key:** `PK_SA_FSAA_Policies` — clustered on `(HOST, PolicyID, TrusteeID)` + +**Foreign Keys:** +- `FK_SA_FSAA_Policies_PolicyID` → `(HOST, PolicyID) → SA_FSAA_Gates(HOST, ID) ON DELETE CASCADE` +- `FK_SA_FSAA_Policies_TrusteeID` → `(HOST, TrusteeID) → SA_FSAA_Trustees(HOST, ID)` + +--- + +### SA_FSAA_Exceptions {#sa_fsaa_exceptions} + +**Description:** One row per detected access-control anomaly (for example, *Open Access*, *Broken Inheritance*, *Direct User Permissions*). The kind of anomaly is identified by `ExceptionType` joining `SA_FSAA_ExceptionTypes`. Either `ResourceID`, `GateID`, `TrusteeID`, or `SourceTrusteeID` may be NULL depending on the exception class — for example, *Open Access* needs only Gate+Trustee, while *SID History* needs Trustee+SourceTrustee. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| ID | int | | No | PK | | | Per-host exception ID | +| ExceptionType | int | | No | | | | Class of exception (logical reference to `SA_FSAA_ExceptionTypes.ExceptionType` — no enforced FK) | +| GateID | int | | Yes | | FK → SA_FSAA_Gates.ID | | Gate involved (if any) | +| ResourceID | bigint | | Yes | | FK → SA_FSAA_Resources.ID | | Resource involved (if any) | +| TrusteeID | int | | Yes | | FK → SA_FSAA_Trustees.ID | | Subject trustee (if any) | +| SourceTrusteeID | int | | Yes | | FK → SA_FSAA_Trustees.ID | | Source trustee — for SID-History exceptions, the historical SID's owner | + +**Primary Key:** `PK_SA_FSAA_Exceptions` — clustered on `(HOST, ID)` + +**Foreign Keys:** +- `FK_SA_FSAA_Exceptions_HOST` → `(HOST) → SA_FSAA_Hosts(ID)` +- `FK_SA_FSAA_Exceptions_GateID` → `(HOST, GateID) → SA_FSAA_Gates(HOST, ID) ON DELETE CASCADE` +- `FK_SA_FSAA_Exceptions_ResourceID` → `(HOST, ResourceID) → SA_FSAA_Resources(HOST, ID)` +- `FK_SA_FSAA_Exceptions_TrusteeID` → `(HOST, TrusteeID) → SA_FSAA_Trustees(HOST, ID)` +- `FK_SA_FSAA_Exceptions_SourceTrusteeID` → `(HOST, SourceTrusteeID) → SA_FSAA_Trustees(HOST, ID)` + +**Indexes:** +- `SA_FSAA_Exceptions_Resource_IDX` — `(HOST, ResourceID)` INCLUDE `(ExceptionType, GateID)` + +:::note +`ExceptionType` joins `SA_FSAA_ExceptionTypes` logically but no SQL FK is enforced — the exception-type catalog is repopulated by the import pipeline and the absence of an FK avoids load-order constraints. +::: + +--- + +### SA_FSAA_ExceptionTypes {#sa_fsaa_exceptiontypes} + +**Description:** Per-host catalog of every exception class FSAA can detect. `ParentType` allows hierarchical grouping of related exceptions (for example, *Open Access — Everyone* is a child of *Open Access*). + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| ExceptionType | int | | No | PK | | | Type code (referenced by `Exceptions.ExceptionType`) | +| GUID | varchar | 38 | No | | | | Stable GUID identifying this exception kind | +| USN | int | | No | | | | Update Sequence Number | +| Name | varchar | 128 | No | | | | Short name (for example, `OpenAccess`) | +| Description | varchar | 256 | No | | | | Human-readable description | +| Count | int | | No | | | | Cached count of `SA_FSAA_Exceptions` rows of this type | +| ParentType | int | | Yes | | | | Optional parent exception type (self-reference within the host) | + +**Primary Key:** `PK_SA_FSAA_ExceptionTypes` — clustered on `(HOST, ExceptionType)` + +**Foreign Keys:** +- `FK_SA_FSAA_ExceptionTypes_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` + +--- + +### SA_FSAA_ProbableOwners {#sa_fsaa_probableowners} + +**Description:** Probable-owner heuristic results — one row per `(resource, candidate-owner)` pair, scored by file count and aggregated size of files the candidate owns within the resource subtree. Populated by the *Probable Owner* analysis job. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| ResourceID | bigint | | No | PK | FK → SA_FSAA_Resources.ID | | Resource (folder/share) being scored | +| OwnerID | int | | No | PK | FK → SA_FSAA_Trustees.ID | | Candidate owner | +| FileSize | bigint | | Yes | | | | Total bytes owned by this candidate within the subtree | +| FileCount | int | | Yes | | | | Number of files owned by this candidate within the subtree | + +**Primary Key:** `PK_SA_FSAA_ProbableOwners` — clustered on `(HOST, ResourceID, OwnerID)` + +**Foreign Keys:** +- `FK_SA_FSAA_ProbableOwners_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` +- `FK_SA_FSAA_ProbableOwners_ResourceID` → `(HOST, ResourceID) → SA_FSAA_Resources(HOST, ID)` +- `FK_SA_FSAA_ProbableOwners_OwnerID` → `(HOST, OwnerID) → SA_FSAA_Trustees(HOST, ID)` + +--- + +### SA_FSAA_FileSizes {#sa_fsaa_filesizes} + +**Description:** Aggregated size and count of all files within each resource subtree. Populated by the bulk-import pipeline when the *Sizing* option is enabled. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| ResourceID | bigint | | No | PK | FK → SA_FSAA_Resources.ID | | Resource (folder/share) | +| FileSize | bigint | | Yes | | | | Total file bytes within the subtree | +| FileCount | int | | Yes | | | | Total number of files within the subtree | + +**Primary Key:** `PK_SA_FSAA_FileSizes` — clustered on `(HOST, ResourceID)` + +**Foreign Keys:** +- `FK_SA_FSAA_FileSizes_ResourceID` → `(HOST, ResourceID) → SA_FSAA_Resources(HOST, ID) ON DELETE CASCADE` + +--- + +### SA_FSAA_FileTypes {#sa_fsaa_filetypes} + +**Description:** Per-extension breakdown of files within each resource subtree. One row per `(resource, extension)`. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| ResourceID | bigint | | No | PK | FK → SA_FSAA_Resources.ID | | Resource (folder/share) | +| Extension | nvarchar | 255 | No | PK | | | File extension (for example, `.docx`) | +| FileSize | bigint | | Yes | | | | Total bytes of files with this extension | +| FileCount | int | | Yes | | | | Number of files with this extension | + +**Primary Key:** `PK_SA_FSAA_FileTypes` — clustered on `(HOST, ResourceID, Extension)` + +**Foreign Keys:** +- `FK_SA_FSAA_FileTypes_ResourceID` → `(HOST, ResourceID) → SA_FSAA_Resources(HOST, ID) ON DELETE CASCADE` + +--- + +### SA_FSAA_FileAges {#sa_fsaa_fileages} + +**Description:** Histogram of file age buckets within each resource subtree. The 11 `FileCount0..FileCount10` columns hold counts in successively older buckets; the bucket boundaries are determined at scan configuration time. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| ResourceID | bigint | | No | PK | FK → SA_FSAA_Resources.ID | | Resource (folder/share) | +| LastModified | datetime | | Yes | | | | Most recent file modification within the subtree | +| FileCount0 | int | | Yes | | | | Files in age bucket 0 (newest) | +| FileCount1 | int | | Yes | | | | Files in age bucket 1 | +| FileCount2 | int | | Yes | | | | Files in age bucket 2 | +| FileCount3 | int | | Yes | | | | Files in age bucket 3 | +| FileCount4 | int | | Yes | | | | Files in age bucket 4 | +| FileCount5 | int | | Yes | | | | Files in age bucket 5 | +| FileCount6 | int | | Yes | | | | Files in age bucket 6 | +| FileCount7 | int | | Yes | | | | Files in age bucket 7 | +| FileCount8 | int | | Yes | | | | Files in age bucket 8 | +| FileCount9 | int | | Yes | | | | Files in age bucket 9 | +| FileCount10 | int | | Yes | | | | Files in age bucket 10 (oldest) | + +**Primary Key:** `PK_SA_FSAA_FileAges` — clustered on `(HOST, ResourceID)` + +**Foreign Keys:** +- `FK_SA_FSAA_FileAges_ResourceID` → `(HOST, ResourceID) → SA_FSAA_Resources(HOST, ID) ON DELETE CASCADE` + +--- + +### SA_FSAA_FileTags {#sa_fsaa_filetags} + +**Description:** Aggregated file count and size per `(resource, tag-set)`. Populated when AIP / sensitive-data tags are collected. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| ResourceID | bigint | | No | PK | FK → SA_FSAA_Resources.ID | | Resource (folder/share) | +| TagProxyID | int | | No | PK | FK → SA_FSAA_TagKeys.TagProxyID | | Tag set | +| FileSize | bigint | | No | | | | Total bytes of files with this tag set | +| FileCount | int | | No | | | | Number of files with this tag set | + +**Primary Key:** `PK_SA_FSAA_FileTags` — clustered on `(HOST, ResourceID, TagProxyID)` + +**Foreign Keys:** +- `FK_SA_FSAA_FileTags_ResourceID` → `(HOST, ResourceID) → SA_FSAA_Resources(HOST, ID) ON DELETE CASCADE` +- `FK_SA_FSAA_FileTags_TagProxyID` → `(HOST, TagProxyID) → SA_FSAA_TagKeys(HOST, TagProxyID)` + +--- + +### SA_FSAA_ScanHistory {#sa_fsaa_scanhistory} + +**Description:** Append-only audit log of every scan run, including the FSAA configuration XML used. Useful for forensic / configuration-tracking purposes. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| ConsoleHost | nvarchar | 64 | Yes | | | | NAA console that initiated the scan | +| ScanHost | nvarchar | 64 | Yes | | | | Host machine that performed the scan | +| ScanType | nvarchar | 64 | Yes | | | | Scan type (Access / Activity / DLP) | +| JobGUID | varchar | 38 | Yes | | | | Job correlation GUID | +| RunTime | datetime2 | | Yes | | | | When the scan ran | +| FSAAConfigXml | xml | | Yes | | | | Snapshot of the FSAA XML configuration | + +This table is intentionally append-only with no primary key, foreign keys, or indexes. Every scan run inserts a new row; rows are never updated and are not referenced by other tables. Querying is by `ScanHost` / `RunTime` and is expected to be infrequent (forensic / support use). + +--- + +## Activity Collector Tables (SA_FSAC_*) {#activity-collector-tables-sa_fsac_} + +The following tables are produced by the **File System Activity Collector**. They capture audit events streamed from agents on the file servers and roll those events up into daily-activity aggregates and exception detections. + +### SA_FSAC_ProcessNames {#sa_fsac_processnames} + +**Description:** Per-host lookup of process names observed in audit events. Activity events reference process names by `ID` to avoid storing the same long path string repeatedly. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| ID | int | | No | PK | | | Per-host process-name ID | +| Name | nvarchar | 255 | No | | | | Process name (for example, `EXPLORER.EXE`) | + +**Primary Key:** `PK_SA_FSAC_ProcessNames` — clustered on `(HOST, ID)` + +**Foreign Keys:** +- `FK_SA_FSAC_ProcessNames_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` + +--- + +### SA_FSAC_ActivityEvents {#sa_fsac_activityevents} + +**Description:** The activity-event firehose. One row per audited file-system operation captured by an FSAC agent. `Operation` is a coded enumeration covering Read / Add / Update / Delete / PermissionChange / Rename. `Allow` is `1` for successful operations and `0` for denied operations. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| ID | bigint | | No | PK | | | Per-host event ID | +| AccessTime | datetime2 | | No | | | | Time the operation occurred | +| PathID | bigint | | No | | FK → SA_FSAA_Resources.ID | | Resource (file or folder) the operation acted on | +| TrusteeID | int | | No | | FK → SA_FSAA_Trustees.ID | | The user / principal that performed the operation | +| ProcessID | int | | Yes | | FK → SA_FSAC_ProcessNames.ID | | Process executing the operation (NULL if unknown) | +| Operation | tinyint | | No | | | | Operation code: `0`=Read, `1`=Add, `2`=Update, `3`=Delete, `4`=PermissionChange, `5`=Rename | +| Allow | bit | | No | | | `1` | `1` = operation allowed, `0` = operation denied | +| USN | int | | No | | | | Update Sequence Number | + +**Primary Key:** `PK_SA_FSAC_ActivityEvents` — clustered on `(HOST, ID)` + +**Foreign Keys:** +- `FK_SA_FSAC_ActivityEvents_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` +- `FK_SA_FSAC_ActivityEvents_PathID` → `(HOST, PathID) → SA_FSAA_Resources(HOST, ID)` +- `FK_SA_FSAC_ActivityEvents_ProcessID` → `(HOST, ProcessID) → SA_FSAC_ProcessNames(HOST, ID)` +- `FK_SA_FSAC_ActivityEvents_TrusteeID` → `(HOST, TrusteeID) → SA_FSAA_Trustees(HOST, ID)` + +**Indexes:** +- `SA_FSAC_ActivityEvents_PathID_IDX` — `(HOST, PathID)` INCLUDE `(ID, AccessTime, TrusteeID, Operation, Allow)` +- `SA_FSAC_ActivityEvents_TrusteeID_IDX` — `(TrusteeID, AccessTime)` INCLUDE `(PathID, ProcessID, Operation, Allow)` + +--- + +### SA_FSAC_PermissionChanges {#sa_fsac_permissionchanges} + +**Description:** Detail rows for activity events where `Operation = 4` (PermissionChange). Each event may have multiple change rows — one per ACE that was added, removed, or modified. `AccessRights` is the bitmask before the change; `NewAccessRights` is the bitmask after the change (NULL on removal). + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| ActivityID | bigint | | No | PK | FK → SA_FSAC_ActivityEvents.ID | | Owning activity event | +| ChangeID | smallint | | No | PK | | | Per-event change index | +| AclType | tinyint | | No | | | | ACL type (DACL / SACL distinction) | +| TrusteeID | int | | No | | FK → SA_FSAA_Trustees.ID | | Trustee whose ACE changed | +| ChangeType | tinyint | | No | | | | Change kind: added / removed / modified | +| AceType | tinyint | | No | | | | ACE type (Allow / Deny) | +| InheritanceFlags | tinyint | | No | | | | NTFS inheritance flags | +| AceFlags | tinyint | | No | | | | NTFS ACE flags | +| AccessRights | bigint | | No | | | | Pre-change Windows access mask | +| NewAccessRights | bigint | | Yes | | | | Post-change access mask (NULL when ACE was removed) | + +**Primary Key:** `PK_SA_FSAC_PermissionChanges` — clustered on `(HOST, ActivityID, ChangeID)` + +**Foreign Keys:** +- `FK_SA_FSAC_PermissionChanges_HOST` → `(HOST) → SA_FSAA_Hosts(ID)` +- `FK_SA_FSAC_PermissionChanges_ActivityID` → `(HOST, ActivityID) → SA_FSAC_ActivityEvents(HOST, ID)` +- `FK_SA_FSAC_PermissionChanges_TrusteeID` → `(HOST, TrusteeID) → SA_FSAA_Trustees(HOST, ID)` + +--- + +### SA_FSAC_OwnerChanges {#sa_fsac_ownerchanges} + +**Description:** Detail rows for activity events that changed a resource's owner (Take Ownership / chown). One row per qualifying activity event. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| ActivityID | bigint | | No | PK | FK → SA_FSAC_ActivityEvents.ID | | Owning activity event | +| PreviousOwnerID | int | | No | | FK → SA_FSAA_Trustees.ID | | Owner before the change | +| NewOwnerID | int | | No | | FK → SA_FSAA_Trustees.ID | | Owner after the change | + +**Primary Key:** `PK_SA_FSAC_OwnerChanges` — clustered on `(HOST, ActivityID)` + +**Foreign Keys:** +- `FK_SA_FSAC_OwnerChanges_HOST` → `(HOST) → SA_FSAA_Hosts(ID)` +- `FK_SA_FSAC_OwnerChanges_ActivityID` → `(HOST, ActivityID) → SA_FSAC_ActivityEvents(HOST, ID)` +- `FK_SA_FSAC_OwnerChanges_PreviousOwnerID` → `(HOST, PreviousOwnerID) → SA_FSAA_Trustees(HOST, ID)` +- `FK_SA_FSAC_OwnerChanges_NewOwnerID` → `(HOST, NewOwnerID) → SA_FSAA_Trustees(HOST, ID)` + +--- + +### SA_FSAC_DailyActivity {#sa_fsac_dailyactivity} + +**Description:** Daily aggregation of activity-event counts, partitioned by `(host, date, folder, trustee, operation, allow)`. The folder ID is the *containing folder* for the operation, so each row counts how many operations of a given type a trustee performed in a folder on a given day. This table feeds the daily-activity views and the *Most Active Users* / *Most Active Servers* reports. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| ActivityDate | date | | No | PK | | | Date the activity occurred | +| FolderID | bigint | | No | PK | FK → SA_FSAA_Resources.ID | | Containing folder | +| TrusteeID | int | | No | PK | FK → SA_FSAA_Trustees.ID | | Acting trustee | +| Operation | tinyint | | No | PK | | | Operation code (0–5) | +| Allow | bit | | No | PK | | `1` | Allow / Deny flag | +| Count | int | | No | | | | Number of operations | + +**Primary Key:** `PK_SA_FSAC_DailyActivity` — clustered on `(HOST, FolderID, ActivityDate, TrusteeID, Operation, Allow)` + +**Foreign Keys:** +- `FK_SA_FSAC_DailyActivity_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` +- `FK_SA_FSAC_DailyActivity_FolderID` → `(HOST, FolderID) → SA_FSAA_Resources(HOST, ID)` +- `FK_SA_FSAC_DailyActivity_TrusteeID` → `(HOST, TrusteeID) → SA_FSAA_Trustees(HOST, ID)` + +--- + +### SA_FSAC_RenameTargets {#sa_fsac_renametargets} + +**Description:** Detail rows for `Operation = 5` (Rename) activity events: stores the *target* path-ID of the rename. The activity event itself records the *source* path; this table records the destination. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| ActivityID | bigint | | No | PK | FK → SA_FSAC_ActivityEvents.ID | | Owning rename event | +| TargetPathID | bigint | | No | | FK → SA_FSAA_Resources.ID | | Resource the source was renamed to | + +**Primary Key:** `PK_SA_FSAC_RenameTargets` — clustered on `(HOST, ActivityID)` + +**Foreign Keys:** +- `FK_SA_FSAC_RenameTargets_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` +- `FK_SA_FSAC_RenameTargets_ActivityID` → `(HOST, ActivityID) → SA_FSAC_ActivityEvents(HOST, ID)` +- `FK_SA_FSAC_RenameTargets_TargetPathID` → `(HOST, TargetPathID) → SA_FSAA_Resources(HOST, ID)` + +--- + +### SA_FSAC_ExceptionTypes {#sa_fsac_exceptiontypes} + +**Description:** Catalog of activity-exception classes (for example, *Unusual hourly activity*, *Mass deletion*, *Ransomware artifact*). One row per `(host, exception type)`. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| ExceptionType | int | | No | PK | | | Exception type code | +| Name | varchar | 128 | No | | | | Short name | +| Description | varchar | 256 | No | | | | Human-readable description | +| Count | int | | No | | | | Cached count of `SA_FSAC_Exceptions` rows of this type | +| ParentType | int | | Yes | | | | Optional parent exception type for hierarchical grouping | + +**Primary Key:** `PK_SA_FSAC_ExceptionTypes` — clustered on `(HOST, ExceptionType)` + +--- + +### SA_FSAC_Exceptions {#sa_fsac_exceptions} + +**Description:** One row per detected activity anomaly. The `Value` / `Average` / `StandardDeviations` columns capture the statistical model output that triggered the exception (for example, observed value vs. baseline). + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| ID | int | | No | PK | | | Per-host exception ID | +| ExceptionType | int | | No | | | | Class of exception (logical reference to `SA_FSAC_ExceptionTypes.ExceptionType` — no enforced FK) | +| ActivityDate | date | | No | | | | Date the anomaly occurred | +| ActivityHour | tinyint | | Yes | | | | Hour-of-day (0–23) for hourly-bucketed anomalies | +| GateID | int | | No | | | | Gate (share) where the anomaly was observed | +| TrusteeID | int | | Yes | | | | User involved (if applicable) | +| ResourceID | bigint | | Yes | | | | Resource involved (if applicable) | +| Value | int | | Yes | | | | Observed value (for example, operation count) | +| Average | float | | Yes | | | | Baseline average for comparison | +| StandardDeviations | float | | Yes | | | | How many σ the observed value is from the average | + +**Primary Key:** `PK_SA_FSAC_Exceptions` — clustered on `(HOST, ID)` + +**Indexes:** +- `SA_FSAC_Exceptions_ResourceID_IDX` — `(HOST, ResourceID)` INCLUDE `(GateID)` + +:::note +No foreign keys are declared on this table; `GateID`, `TrusteeID`, `ResourceID`, and `ExceptionType` are logical references only. +::: + +--- + +### SA_FSAC_UserExceptionTypes {#sa_fsac_userexceptiontypes} + +**Description:** User-centric variant of `SA_FSAC_ExceptionTypes` — partitioned by user `SID` instead of by host. Used when an exception is associated with a particular user across multiple hosts. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| SID | varchar | 184 | No | PK | | | User SID | +| ExceptionType | int | | No | PK | | | Exception type code | +| Name | varchar | 128 | No | | | | Short name | +| Description | varchar | 256 | No | | | | Description | +| Count | int | | No | | | | Cached count | +| ParentType | int | | Yes | | | | Optional parent exception type | + +**Primary Key:** `PK_SA_FSAC_UserExceptionTypes` — clustered on `(SID, ExceptionType)` + +--- + +### SA_FSAC_UserExceptions {#sa_fsac_userexceptions} + +**Description:** One row per detected per-user activity anomaly (for example, unusual login pattern attributed to a specific SID). + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| SID | varchar | 184 | No | | | | User SID | +| ID | int | | No | PK | | | Surrogate exception ID | +| ExceptionType | int | | No | | | | Exception type | +| ActivityDate | date | | No | | | | Date the anomaly occurred | +| ActivityStartTime | tinyint | | Yes | | | | Start hour of the activity window (0–23) | +| ActivityPeriod | tinyint | | Yes | | | | Length of the activity window in hours | +| Value | int | | Yes | | | | Observed value | +| Average | float | | Yes | | | | Baseline average | +| StandardDeviations | float | | Yes | | | | σ from baseline | + +**Primary Key:** `PK_SA_FSAC_UserExceptions` — clustered on `(ID)` + +--- + +## Sensitive Data Tables (SA_FSDLP_*) {#sensitive-data-tables-sa_fsdlp_} + +The following tables are produced by the **Sensitive Data / DLP collector**. They capture matches against configured DLP criteria, including per-match excerpt context and links to the subject-profile system that ties hits to specific identities. + +### SA_FSDLP_ImportHistory {#sa_fsdlp_importhistory} + +**Description:** Append-only history of DLP scan imports per host. One row per imported scan run. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| GUID | varchar | 38 | No | | | | Scan correlation GUID | +| USN | int | | No | PK | | | USN at import time | + +**Primary Key:** `PK_SA_FSDLP_ImportHistory` — clustered on `(HOST, USN)` + +**Foreign Keys:** +- `FK_SA_FSDLP_ImportHistory_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` + +--- + +### SA_FSDLP_Criteria {#sa_fsdlp_criteria} + +**Description:** Per-host catalog of the DLP criteria (patterns / classifiers) that produced matches. The `pattern_guid` is the global identifier that links back to the centrally managed criteria definitions. `Risk` is a numeric severity score. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | +| ID | int | | No | PK | | | Per-host criterion ID | +| Name | nvarchar | 256 | No | | | | Criterion name (for example, "US Social Security Number") | +| Risk | int | | No | | | `0` | Risk score | +| pattern_guid | uniqueidentifier | | Yes | | | | Global criterion GUID | + +**Primary Key:** `PK_SA_FSDLP_Criteria` — clustered on `(HOST, ID)` + +**Foreign Keys:** +- `FK_SA_FSDLP_Criteria_HOST` → `(HOST) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` + +--- + +### SA_FSDLP_Matches {#sa_fsdlp_matches} + +**Description:** One row per `(file, criterion)` pair where the criterion produced at least one hit in the file. `MatchCount` is the total number of hits. + +`DataSource` is a bitmask indicating where in the file the matches came from: `1` = Content, `2` = Metadata, `4` = Filename. Combinations are summed (for example, `5` = Content + Filename). + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| FileId | bigint | | No | PK | | | Resource ID of the matched file (joins `SA_FSAA_Resources.ID`) | +| CriteriaId | int | | No | PK | FK → SA_FSDLP_Criteria.ID | | Criterion that matched | +| MatchCount | int | | Yes | | | | Number of hits within this file for this criterion | +| DataSource | int | | No | | | `0` | Bitmask: 1=Content, 2=Metadata, 4=Filename | + +**Primary Key:** `PK_SA_FSDLP_Matches` — clustered on `(HOST, FileId, CriteriaId)` + +**Foreign Keys:** +- `FK_SA_FSDLP_Matches_CriteriaId` → `(HOST, CriteriaId) → SA_FSDLP_Criteria(HOST, ID) ON DELETE CASCADE` + +--- + +### SA_FSDLP_MatchHits {#sa_fsdlp_matchhits} + +**Description:** Per-hit detail rows. For every match in `SA_FSDLP_Matches`, this table holds the prefix / data / suffix excerpt around each hit, plus a confidence score. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| FileId | bigint | | No | PK | | | Resource ID of the matched file | +| CriteriaId | int | | No | PK | | | Criterion that produced the hit | +| ID | bigint | | No | PK | | | Per-`(File, Criterion)` hit ID | +| SubFileName | nvarchar | 1024 | Yes | | | | Sub-file name (for archives such as ZIP / RAR) | +| MatchPrefix | nvarchar | 1024 | Yes | | | | Text immediately before the matched data | +| MatchData | nvarchar | 1024 | Yes | | | | The matched data itself | +| MatchSuffix | nvarchar | 1024 | Yes | | | | Text immediately after the matched data | +| Confidence | int | | No | | | `0` | Confidence score (0–100) | +| DataSource | int | | No | | | `0` | Where the hit was found (see `SA_FSDLP_Matches.DataSource`) | + +**Primary Key:** `PK_SA_FSDLP_MatchHits` — clustered on `(HOST, FileId, CriteriaId, ID)` + +**Foreign Keys:** +- `FK_SA_FSDLP_MatchHits_Match` → `(HOST, FileId, CriteriaId) → SA_FSDLP_Matches(HOST, FileId, CriteriaId) ON DELETE CASCADE` + +--- + +### SA_FSDLP_MatchHits_SubjectProfile {#sa_fsdlp_matchhits_subjectprofile} + +**Description:** Links a DLP match hit to the subject-profile system, which identifies which person / entity the hit is about. Populated when subject-profile correlation is enabled. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| HOST | int | | No | PK | | | Host partition | +| FileId | bigint | | No | PK | | | Resource ID of the matched file | +| CriteriaId | int | | No | PK | | | Criterion that produced the hit | +| ID | bigint | | No | PK | FK → SA_FSDLP_MatchHits.ID | | Hit ID | +| SourceId | int | | No | | FK → SA_SubjectProfile_Sources.Id | | Subject-profile source | +| IdentityId | bigint | | No | | FK → SA_SubjectProfile_Identities.Id | | Resolved identity | +| AttributeId | int | | No | | | | Attribute on the identity that the hit aligns with | +| Order | int | | No | | | | Position within multi-valued attributes | + +**Primary Key:** `PK_SA_FSDLP_MatchHits_SubjectProfile` — clustered on `(HOST, FileId, CriteriaId, ID)` + +**Foreign Keys:** +- `FK_SA_FSDLP_MatchHits_SubjectProfile` → `(HOST, FileId, CriteriaId, ID) → SA_FSDLP_MatchHits(HOST, FileId, CriteriaId, ID) ON DELETE CASCADE` +- `FK_SA_FSDLP_MatchHits_SubjectProfile_Source` → `(SourceId) → SA_SubjectProfile_Sources(Id)` +- `FK_SA_FSDLP_MatchHits_SubjectProfile_Identity` → `(IdentityId) → SA_SubjectProfile_Identities(Id)` +- `FK_SA_FSDLP_MatchHits_SubjectProfile_Attribute` → `(IdentityId, AttributeId, Order) → SA_SubjectProfile_AttributeValues(IdentityId, AttributeId, Order) ON DELETE CASCADE` + +**Indexes:** +- `SA_FSDLP_MatchHits_SubjectProfile_Source_IDX` — nonclustered on `(SourceId)` +- `SA_FSDLP_MatchHits_SubjectProfile_Identity_IDX` — nonclustered on `(IdentityId)` + +:::note +The `SA_SubjectProfile_*` tables are owned by the central Subject Profile module and are documented separately. +::: + +--- + +## DFS Namespace Tables (SA_FSDFS_*) {#dfs-namespace-tables-sa_fsdfs_} + +The following tables are produced by the **DFS Namespace collector**. They capture Microsoft DFS namespaces and the links that map DFS paths to underlying physical shares. + +### SA_FSDFS_Namespaces {#sa_fsdfs_namespaces} + +**Description:** One row per discovered DFS namespace (for example, `\\contoso.com\public`). Each namespace anchors zero or more DFS links. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| ID | int | | No | PK | | IDENTITY(1,1) | Surrogate namespace ID | +| HOST | int | | No | | | | Host that owns the namespace record | +| Name | nvarchar | 450 | No | | | | DFS namespace name | +| RootHostID | int | | Yes | | FK → SA_FSAA_Hosts.ID | | The FSAA host that hosts the namespace root | +| RootGateID | int | | Yes | | | | The gate (share) that backs the namespace root | + +**Primary Key:** `PK_SA_FSDFS_Namespaces` — clustered on `(ID)` + +**Foreign Keys:** +- `FK_SA_FSDFS_Namespaces_Hosts` → `(RootHostID) → SA_FSAA_Hosts(ID) ON DELETE CASCADE` +- `FK_SA_FSDFS_Namespaces_GateID` → `(RootHostID, RootGateID) → SA_FSAA_Gates(HOST, ID)` + +--- + +### SA_FSDFS_Links {#sa_fsdfs_links} + +**Description:** Each DFS link maps a logical DFS path (for example, `\\contoso.com\public\sales`) to a physical target path on a specific server. Multiple links may exist per namespace. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| ID | int | | No | PK | | IDENTITY(1,1) | Surrogate link ID | +| HOST | int | | No | PK | | | Host partition (the DFS host) | +| NamespaceID | int | | Yes | | FK → SA_FSDFS_Namespaces.ID | | Owning namespace | +| NamespaceName | nvarchar | 512 | No | | | | Cached namespace name | +| DfsPath | nvarchar | 400 | No | | | | DFS-side logical path (for example, `sales\reports`) | +| DfsResourceID | bigint | | Yes | | FK → SA_FSAA_Resources.ID | | Resource representing the DFS-side path (when available) | +| DfsHostID | int | | Yes | | | | Host on the DFS side | +| TargetPath | nvarchar | 450 | No | | | | UNC path of the physical target (for example, `\\fileserver\sales`) | +| TargetHostID | int | | Yes | | FK → SA_FSAA_Hosts.ID | | FSAA host that holds the physical target | +| TargetGateID | int | | Yes | | FK → SA_FSAA_Gates.ID | | Gate (share) that holds the physical target | +| TargetResourceID | bigint | | Yes | | FK → SA_FSAA_Resources.ID | | Resource on the target host | +| State | int | | Yes | | | | DFS link state (online / offline) | +| Timeout | int | | Yes | | | | DFS-link cache timeout | +| DfsGuid | uniqueidentifier | | Yes | | | | DFS link's unique identifier | +| Comment | nvarchar | 1024 | Yes | | | | Free-text comment | +| IsRoot | bit | | No | | | | True if this link represents the namespace root rather than a sub-link | + +**Primary Key:** `PK_SA_FSDFS_Links` — clustered on `(HOST, ID)` + +**Unique Constraints:** `UQ_FSDFS_Links_DfsPath` — unique on `(DfsPath, NamespaceID)` + +**Foreign Keys:** +- `FK_SA_FSDFS_Links_NamespaceID` → `(NamespaceID) → SA_FSDFS_Namespaces(ID) ON DELETE CASCADE` +- `FK_SA_FSDFS_Links_TargetHostID` → `(TargetHostID) → SA_FSAA_Hosts(ID)` +- `FK_SA_FSDFS_Links_TargetGateID` → `(TargetHostID, TargetGateID) → SA_FSAA_Gates(HOST, ID)` +- `FK_SA_FSDFS_Links_TargetResourceID` → `(TargetHostID, TargetResourceID) → SA_FSAA_Resources(HOST, ID)` +- `FK_SA_FSDFS_Links_DfsResourceID` → `(DfsHostID, DfsResourceID) → SA_FSAA_Resources(HOST, ID)` + +**Indexes:** +- `SA_FSDFS_Links_GateID_IDX` — `(TargetHostID, TargetGateID)` diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/enumeration/_category_.json b/docs/accessanalyzer/11.6/admin/schema/fsaadc/enumeration/_category_.json new file mode 100644 index 0000000000..1ae864a8b0 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/enumeration/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Enumeration & Lookup Values Reference", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/enumeration/overview.md b/docs/accessanalyzer/11.6/admin/schema/fsaadc/enumeration/overview.md new file mode 100644 index 0000000000..b3f3319482 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/enumeration/overview.md @@ -0,0 +1,98 @@ +# Enumeration & Lookup Values Reference + +This section documents the possible values stored in coded columns used throughout the FSAA DC schema. These values appear in core data tables and are decoded into human-readable labels by views. + +--- + +## TrusteeType + +Referenced by `SA_FSAA_Trustees.TrusteeType` and `SA_FSAA_LocalTrustees.TrusteeType`. + +| Value | Name | Description | +|---|---|---| +| 0 | Unknown | Type could not be determined | +| 1 | SecurityPrincipal | Built-in / well-known security principal (for example, `Everyone`) | +| 2 | LocalUser | Local user account | +| 3 | LocalGroup | Local group account | +| 4 | GlobalUser | Domain user account ("Domain User" in views) | +| 5 | GlobalGroup | Domain group account ("Domain Group" in views) | +| 6 | SharepointUser | SharePoint user | +| 7 | SharepointGroup | SharePoint group | +| 8 | Unsupported | Trustee type not supported | +| 9 | ServiceAccount | Service account | +| 10 | Computer | Computer account | +| 11 | GlobalTrustee | Cross-domain trustee | +| 20 | UnixUser | POSIX user | +| 21 | UnixGroup | POSIX group | + +:::note +The descriptive labels emitted by views (`SA_FSAA_PermissionsView.TrusteeTypeDescription`, etc.) cover values 0, 1, 2, 3, 4, 5, 8, 9, and 10 only. +::: + +--- + +## ResourceType + +Referenced by `SA_FSAA_Resources.ResourceType`. + +| Value | Name | View label | Description | +|---|---|---|---| +| 0 | Share | Share | SMB / Windows share root | +| 1 | NFSExport | Share | NFS export root | +| 2 | NetAppVolume | Folder | NetApp volume root | +| 3 | WinDir | Folder | Windows directory | +| 4 | WinFile | File | Windows file | +| 5 | UnixDir | Folder | Unix directory | +| 6 | UnixFile | File | Unix file | + +Views map these to three labels using `CASE WHEN r.ResourceType IN (0,1) THEN 'Share' WHEN r.ResourceType IN (2,3,5) THEN 'Folder' WHEN r.ResourceType IN (4,6) THEN 'File' END`. + +--- + +## GateType + +Referenced by `SA_FSAA_Gates.GateType`. + +| Value | Description | +|---|---| +| 0 | SMB share gate | +| 1 | Policy gate (LSA logon-right pseudo-trustee container — `INTERACTIVE`, `BATCH`, `SERVICE`, `TERMINAL SERVER USER`, etc.) | +| 2 | NFS export gate | + +Share gates (`0`/`2`) carry NTFS / share permissions and are reachable via `SA_FSAA_GatesProxy`. Policy gates (`1`) are produced by the local-policy enumerator: they have no `ShareID` or `FolderID`, and their members are stored in `SA_FSAA_Policies` and resolved at query time by `SA_FSAA_GetPolicyMembership`. Views that surface share traversal label any non-zero `GateType` as `'NFS'` for legacy compatibility (`CASE WHEN g.GateType = 0 THEN 'SMB' ELSE 'NFS' END`); policy gates are normally filtered out by the `r.GatesProxyID IS NOT NULL` predicate before reaching that CASE. + +--- + +## Rights Bitmask + +The simplified six-bit FSAA rights model. Used in `SA_FSAA_Rights.AllowRights`, `DenyRights`, `DirectAllowRights`, `InheritedAllowRights`, `DirectDenyRights`, `InheritedDenyRights` and surfaced in views as the `AllowRightsDescription` / `DenyRightsDescription` text columns (for example, `LRWDMA`). + +| Bit | Hex / Decimal | Letter | Name | +|---|---|---|---| +| 0 | `0x01` (1) | R | Read | +| 1 | `0x02` (2) | W | Write | +| 2 | `0x04` (4) | D | Delete | +| 3 | `0x08` (8) | M | Manage | +| 4 | `0x10` (16) | A | Admin | +| 5 | `0x20` (32) | L | List | + +The corresponding Windows mask values are stored separately in the `*Mask` columns. Common mappings used by `SA_FSAA_PermissionsView.AllowMaskDescription`: + +| Mask (decimal) | Description | +|---|---| +| 0 | None | +| 2032127 | Full Control (allow) | +| 1245631 | Modify | +| 1179817 | Read & Execute (or "List folder contents" when `AllowRights = 32`) | +| 1179785 | Read | +| 1179926 | Write | +| 983551 | Full Control (deny) | +| 197055 | Modify (deny) | +| 1310720 | Change Permissions | +| 1572864 | Take Ownership | +| 1114112 | Delete | +| 1179648 | Read Permissions | + +:::note +Many additional special-permission decimal values are decoded by the `CASE` expression in `SA_FSAA_PermissionsView` / `SA_FSAA_DirectPermissionsView` / `SA_FSAA_InheritedPermissionsView`. +::: diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/erd/_category_.json b/docs/accessanalyzer/11.6/admin/schema/fsaadc/erd/_category_.json new file mode 100644 index 0000000000..8e87e36269 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/erd/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Table Relationship Diagrams (ERD)", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/erd/overview.md b/docs/accessanalyzer/11.6/admin/schema/fsaadc/erd/overview.md new file mode 100644 index 0000000000..42c771436c --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/erd/overview.md @@ -0,0 +1,193 @@ +# Table Relationship Diagrams (ERD) + +The schema is broken into subsystem-focused sub-diagrams below. Relationship lines use standard crow's foot notation: a single vertical bar on the parent side and a crow's foot (fork) on the child side means "exactly one parent, zero or more children"; a single bar on each side with an open circle means one-to-zero-or-one (sidecar / extension table). + +:::note +Every core table includes a `HOST INT` column that is a foreign key to `SA_FSAA_Hosts.ID` with `ON DELETE CASCADE`. To keep the sub-diagrams readable, that fan-out is shown only in the **Top-level partitioning** diagram; in the other diagrams `HOST` is implicit on every relationship. + +Tables not shown in any diagram (no foreign keys): `SA_FSAA_SchemaVer` (single-row config) and `SA_FSAA_ScanHistory` (audit log). +::: + +--- + +## Top-level Partitioning + +`SA_FSAA_Hosts` is the root of the schema. Every other table includes a `HOST` column whose foreign key cascades on delete, so removing a host atomically purges its entire data set. The diagrams below are **representative, not exhaustive** — they show the parent tables for each subsystem; the per-subsystem diagrams below cover the remaining HOST-partitioned tables (for example, `SA_FSAA_Rights`, `SA_FSAA_LocalTrustees`, `SA_FSAA_GatesProxy`, `SA_FSAA_Policies`, the four `SA_FSAA_File*` aggregations, and every `SA_FSAC_*` / `SA_FSDLP_*` / `SA_FSDFS_*` table). + +**Core subsystem roots:** + +```mermaid +erDiagram + SA_FSAA_Hosts ||--o{ SA_FSAA_ImportHistory : "HOST" + SA_FSAA_Hosts ||--o{ SA_FSAA_Trustees : "HOST" + SA_FSAA_Hosts ||--o{ SA_FSAA_Resources : "HOST" + SA_FSAA_Hosts ||--o{ SA_FSAA_Gates : "HOST" + SA_FSAA_Hosts ||--o{ SA_FSAA_ExceptionTypes : "HOST" +``` + +**Tag infrastructure and exception/ownership tables:** + +```mermaid +erDiagram + SA_FSAA_Hosts ||--o{ SA_FSAA_Tags : "HOST" + SA_FSAA_Hosts ||--o{ SA_FSAA_TagKeys : "HOST" + SA_FSAA_Hosts ||--o{ SA_FSAA_TagProxies : "HOST" + SA_FSAA_Hosts ||--o{ SA_FSAA_Exceptions : "HOST" + SA_FSAA_Hosts ||--o{ SA_FSAA_ProbableOwners : "HOST" +``` + +--- + +## Trustees + +`SA_FSAA_Trustees` is the canonical trustee table. `SA_FSAA_LocalTrustees` is a 1:0..1 *extension* that adds NT-style domain/name/display fields for principals that are local to the host. `SA_FSAA_TrusteeEquivalence` is the local-group-membership edge table — `TrusteeID` is the member, `EquivalentTrusteeID` is the local-group it belongs to. + +```mermaid +erDiagram + SA_FSAA_Trustees ||--o| SA_FSAA_LocalTrustees : "ID (extension)" + SA_FSAA_Trustees ||--o{ SA_FSAA_TrusteeEquivalence : "TrusteeID (member)" + SA_FSAA_LocalTrustees ||--o{ SA_FSAA_TrusteeEquivalence : "EquivalentTrusteeID (group)" +``` + +--- + +## Resources & Content Aggregations {#resources--content-aggregations} + +`SA_FSAA_Resources` is the file/folder/share tree (note the self-reference for parent-child folder hierarchy and the `OwnerID` FK back to `SA_FSAA_Trustees`). The five sidecar tables on the right hold per-resource aggregations populated by the structural import. + +```mermaid +erDiagram + SA_FSAA_Resources ||--o{ SA_FSAA_Resources : "ParentResourceID (self)" + SA_FSAA_Trustees ||--o{ SA_FSAA_Resources : "OwnerID" + + SA_FSAA_Resources ||--o{ SA_FSAA_FileSizes : "ResourceID" + SA_FSAA_Resources ||--o{ SA_FSAA_FileTypes : "ResourceID" + SA_FSAA_Resources ||--o{ SA_FSAA_FileAges : "ResourceID" + SA_FSAA_Resources ||--o{ SA_FSAA_UnixRights : "ResourceID" + SA_FSAA_Resources ||--o{ SA_FSAA_ProbableOwners : "ResourceID" + + SA_FSAA_Trustees ||--o{ SA_FSAA_UnixRights : "OwnerID + GroupID" + SA_FSAA_Trustees ||--o{ SA_FSAA_ProbableOwners : "OwnerID" +``` + +--- + +## Gates and Permissions + +A "gate" is a way to reach a resource — an SMB share, NFS export, or LSA-policy container. `SA_FSAA_Gates` self-references through `PolicyID` (an NFS export gate points at its export-policy gate). `SA_FSAA_GatesProxy` is the dedup bridge between resources and gates (`SA_FSAA_Resources.GatesProxyID` is a logical reference, not an enforced FK). `SA_FSAA_Rights` holds the per-trustee allow/deny ACL entries; `RightsProxyID` is also a logical reference from `SA_FSAA_Resources` rather than an enforced FK. + +```mermaid +erDiagram + SA_FSAA_Gates ||--o{ SA_FSAA_Gates : "PolicyID (self)" + SA_FSAA_Resources ||--o{ SA_FSAA_Gates : "ShareID + FolderID" + + SA_FSAA_Gates ||--o{ SA_FSAA_GatesProxy : "GateID" + SA_FSAA_Gates ||--o{ SA_FSAA_Policies : "PolicyID" + SA_FSAA_Trustees ||--o{ SA_FSAA_Policies : "TrusteeID" + + SA_FSAA_Trustees ||--o{ SA_FSAA_Rights : "TrusteeID" +``` + +:::note +Logical (un-enforced) references not shown: `SA_FSAA_Resources.RightsProxyID → SA_FSAA_Rights.RightsProxyID` and `SA_FSAA_Resources.GatesProxyID → SA_FSAA_GatesProxy.ID`. These are denormalized pointers maintained by the import pipeline; no FK constraint is created on them so that bulk imports can stage rows in any order. +::: + +--- + +## Tags + +Tags use a three-table dedup pattern. `SA_FSAA_Tags` holds each unique tag string. `SA_FSAA_TagKeys` defines a "tag set" identity. `SA_FSAA_TagProxies` is the membership table linking tag sets to their tags. `SA_FSAA_Resources.TagProxyID` and `SA_FSAA_FileTags.TagProxyID` reference the tag-set identity in `TagKeys`. + +```mermaid +erDiagram + SA_FSAA_TagKeys ||--o{ SA_FSAA_TagProxies : "TagProxyID" + SA_FSAA_Tags ||--o{ SA_FSAA_TagProxies : "TagID" + SA_FSAA_TagKeys ||--o{ SA_FSAA_FileTags : "TagProxyID" + SA_FSAA_Resources ||--o{ SA_FSAA_FileTags : "ResourceID" +``` + +--- + +## Exceptions + +`SA_FSAA_ExceptionTypes` is the per-host catalog of exception classes. `SA_FSAA_Exceptions` carries one row per detected anomaly and has FKs out to *all four* foundational tables — Hosts, Gates, Resources, and Trustees (twice — `TrusteeID` and `SourceTrusteeID`). Most of these FK columns are nullable because different exception types use different combinations. + +```mermaid +erDiagram + SA_FSAA_ExceptionTypes ||--o{ SA_FSAA_Exceptions : "ExceptionType" + SA_FSAA_Gates ||--o{ SA_FSAA_Exceptions : "GateID" + SA_FSAA_Resources ||--o{ SA_FSAA_Exceptions : "ResourceID" + SA_FSAA_Trustees ||--o{ SA_FSAA_Exceptions : "TrusteeID" + SA_FSAA_Trustees ||--o{ SA_FSAA_Exceptions : "SourceTrusteeID" +``` + +--- + +## Activity Collection + +`SA_FSAC_ActivityEvents` is the audit-event firehose; each row is one observed file-system operation (read / add / update / delete / permission-change / rename). Every event references the resource (`PathID`), the trustee that performed the operation, and the process (`ProcessID`) that ran it. Three detail tables hang off `ActivityEvents`: `SA_FSAC_PermissionChanges` and `SA_FSAC_OwnerChanges` for permission-change and owner-change details, and `SA_FSAC_RenameTargets` for rename destinations. `SA_FSAC_DailyActivity` is a daily aggregation rolled up by `(folder, trustee, operation)`. `SA_FSAC_Exceptions` records detected anomalies; `SA_FSAC_UserExceptions` is the per-user variant (partitioned by `SID` instead of by host). + +```mermaid +erDiagram + SA_FSAA_Hosts ||--o{ SA_FSAC_ProcessNames : "HOST" + SA_FSAA_Hosts ||--o{ SA_FSAC_ActivityEvents : "HOST" + SA_FSAA_Hosts ||--o{ SA_FSAC_DailyActivity : "HOST" + + SA_FSAA_Resources ||--o{ SA_FSAC_ActivityEvents : "PathID" + SA_FSAA_Trustees ||--o{ SA_FSAC_ActivityEvents : "TrusteeID" + SA_FSAC_ProcessNames ||--o{ SA_FSAC_ActivityEvents : "ProcessID" + + SA_FSAC_ActivityEvents ||--o{ SA_FSAC_PermissionChanges : "ActivityID" + SA_FSAC_ActivityEvents ||--o| SA_FSAC_OwnerChanges : "ActivityID" + SA_FSAC_ActivityEvents ||--o| SA_FSAC_RenameTargets : "ActivityID" + + SA_FSAA_Trustees ||--o{ SA_FSAC_PermissionChanges : "TrusteeID" + SA_FSAA_Trustees ||--o{ SA_FSAC_OwnerChanges : "PreviousOwnerID + NewOwnerID" + SA_FSAA_Resources ||--o{ SA_FSAC_RenameTargets : "TargetPathID" + + SA_FSAA_Resources ||--o{ SA_FSAC_DailyActivity : "FolderID" + SA_FSAA_Trustees ||--o{ SA_FSAC_DailyActivity : "TrusteeID" + + SA_FSAC_ExceptionTypes ||--o{ SA_FSAC_Exceptions : "ExceptionType" + SA_FSAC_UserExceptionTypes ||--o{ SA_FSAC_UserExceptions : "ExceptionType (by SID)" +``` + +--- + +## Sensitive Data + +`SA_FSDLP_Criteria` lists the active DLP patterns. `SA_FSDLP_Matches` records, for each `(file, criterion)` pair, how many hits were found. `SA_FSDLP_MatchHits` carries the per-hit excerpt (prefix / data / suffix) and confidence score. `SA_FSDLP_MatchHits_SubjectProfile` links each hit to a subject in the central Subject Profile system (the identity / attribute that the matched data corresponds to). `FileId` on Matches is a logical reference to `SA_FSAA_Resources.ID`. + +```mermaid +erDiagram + SA_FSAA_Hosts ||--o{ SA_FSDLP_ImportHistory : "HOST" + SA_FSAA_Hosts ||--o{ SA_FSDLP_Criteria : "HOST" + + SA_FSDLP_Criteria ||--o{ SA_FSDLP_Matches : "CriteriaId" + SA_FSDLP_Matches ||--o{ SA_FSDLP_MatchHits : "FileId + CriteriaId" + SA_FSDLP_MatchHits ||--o{ SA_FSDLP_MatchHits_SubjectProfile : "FileId + CriteriaId + ID" +``` + +:::note +Logical (un-enforced) reference not shown: `SA_FSDLP_Matches.FileId → SA_FSAA_Resources.ID`. The DLP collector populates `FileId` to match the FSAA resource ID but no SQL FK constraint is created so DLP imports can run independently of structural scans. + +`SA_FSDLP_MatchHits_SubjectProfile` has foreign keys into the central Subject Profile tables (`SA_SubjectProfile_Sources`, `SA_SubjectProfile_Identities`, `SA_SubjectProfile_AttributeValues`). Those tables are owned by the Subject Profile module and not shown here. +::: + +--- + +## DFS Namespaces + +`SA_FSDFS_Namespaces` lists the discovered DFS namespaces. `SA_FSDFS_Links` resolves each DFS-side path into the physical target (host / gate / resource) on a real file server. The link table has FKs into both the FSAA host and the FSAA structural tables on the target side. + +```mermaid +erDiagram + SA_FSAA_Hosts ||--o{ SA_FSDFS_Namespaces : "RootHostID" + SA_FSAA_Gates ||--o{ SA_FSDFS_Namespaces : "RootGateID" + + SA_FSDFS_Namespaces ||--o{ SA_FSDFS_Links : "NamespaceID" + SA_FSAA_Hosts ||--o{ SA_FSDFS_Links : "TargetHostID" + SA_FSAA_Gates ||--o{ SA_FSDFS_Links : "TargetGateID" + SA_FSAA_Resources ||--o{ SA_FSDFS_Links : "TargetResourceID" + SA_FSAA_Resources ||--o{ SA_FSDFS_Links : "DfsResourceID" +``` diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/fkreference/_category_.json b/docs/accessanalyzer/11.6/admin/schema/fsaadc/fkreference/_category_.json new file mode 100644 index 0000000000..c990fe38d8 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/fkreference/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Foreign Key Reference", + "position": 70, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/fkreference/overview.md b/docs/accessanalyzer/11.6/admin/schema/fsaadc/fkreference/overview.md new file mode 100644 index 0000000000..68c7aa6db2 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/fkreference/overview.md @@ -0,0 +1,77 @@ +# Foreign Key Reference + +## Complete Foreign Key Listing + +| FK Name | Parent Table | Parent Column(s) | Referenced Table | Referenced Column(s) | On Delete | +|---|---|---|---|---|---| +| FK_SA_FSAA_ImportHistory_HOST | SA_FSAA_ImportHistory | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAA_Trustees_HOST | SA_FSAA_Trustees | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAA_LocalTrustees_ID | SA_FSAA_LocalTrustees | HOST, ID | SA_FSAA_Trustees | HOST, ID | CASCADE | +| FK_SA_FSAA_TrusteeEquivalence_TrusteeID | SA_FSAA_TrusteeEquivalence | HOST, TrusteeID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAA_TrusteeEquivalence_EquivalentTrusteeID | SA_FSAA_TrusteeEquivalence | HOST, EquivalentTrusteeID | SA_FSAA_LocalTrustees | HOST, ID | CASCADE | +| FK_SA_FSAA_Rights_TrusteeID | SA_FSAA_Rights | HOST, TrusteeID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAA_Tags_HOST | SA_FSAA_Tags | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAA_TagKeys_HOST | SA_FSAA_TagKeys | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAA_TagProxies_HOST | SA_FSAA_TagProxies | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAA_TagProxies_TagProxyID | SA_FSAA_TagProxies | HOST, TagProxyID | SA_FSAA_TagKeys | HOST, TagProxyID | NO ACTION | +| FK_SA_FSAA_TagProxies_TagID | SA_FSAA_TagProxies | HOST, TagID | SA_FSAA_Tags | HOST, TagID | NO ACTION | +| FK_SA_FSAA_Resources_HOST | SA_FSAA_Resources | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAA_Resources_ParentResourceID | SA_FSAA_Resources | HOST, ParentResourceID | SA_FSAA_Resources | HOST, ID | NO ACTION | +| FK_SA_FSAA_Resources_OwnerID | SA_FSAA_Resources | HOST, OwnerID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAA_UnixRights_ResourceID | SA_FSAA_UnixRights | HOST, ResourceID | SA_FSAA_Resources | HOST, ID | CASCADE | +| FK_SA_FSAA_UnixRights_OwnerID | SA_FSAA_UnixRights | HOST, OwnerID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAA_UnixRights_GroupID | SA_FSAA_UnixRights | HOST, GroupID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAA_Gates_HOST | SA_FSAA_Gates | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAA_Gates_ShareID | SA_FSAA_Gates | HOST, ShareID | SA_FSAA_Resources | HOST, ID | NO ACTION | +| FK_SA_FSAA_Gates_FolderID | SA_FSAA_Gates | HOST, FolderID | SA_FSAA_Resources | HOST, ID | NO ACTION | +| FK_SA_FSAA_Gates_PolicyID | SA_FSAA_Gates | HOST, PolicyID | SA_FSAA_Gates | HOST, ID | NO ACTION | +| FK_SA_FSAA_GatesProxy_GateID | SA_FSAA_GatesProxy | HOST, GateID | SA_FSAA_Gates | HOST, ID | CASCADE | +| FK_SA_FSAA_Policies_PolicyID | SA_FSAA_Policies | HOST, PolicyID | SA_FSAA_Gates | HOST, ID | CASCADE | +| FK_SA_FSAA_Policies_TrusteeID | SA_FSAA_Policies | HOST, TrusteeID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAA_Exceptions_HOST | SA_FSAA_Exceptions | HOST | SA_FSAA_Hosts | ID | NO ACTION | +| FK_SA_FSAA_Exceptions_GateID | SA_FSAA_Exceptions | HOST, GateID | SA_FSAA_Gates | HOST, ID | CASCADE | +| FK_SA_FSAA_Exceptions_ResourceID | SA_FSAA_Exceptions | HOST, ResourceID | SA_FSAA_Resources | HOST, ID | NO ACTION | +| FK_SA_FSAA_Exceptions_TrusteeID | SA_FSAA_Exceptions | HOST, TrusteeID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAA_Exceptions_SourceTrusteeID | SA_FSAA_Exceptions | HOST, SourceTrusteeID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAA_ExceptionTypes_HOST | SA_FSAA_ExceptionTypes | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAA_ProbableOwners_HOST | SA_FSAA_ProbableOwners | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAA_ProbableOwners_ResourceID | SA_FSAA_ProbableOwners | HOST, ResourceID | SA_FSAA_Resources | HOST, ID | NO ACTION | +| FK_SA_FSAA_ProbableOwners_OwnerID | SA_FSAA_ProbableOwners | HOST, OwnerID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAA_FileSizes_ResourceID | SA_FSAA_FileSizes | HOST, ResourceID | SA_FSAA_Resources | HOST, ID | CASCADE | +| FK_SA_FSAA_FileTypes_ResourceID | SA_FSAA_FileTypes | HOST, ResourceID | SA_FSAA_Resources | HOST, ID | CASCADE | +| FK_SA_FSAA_FileAges_ResourceID | SA_FSAA_FileAges | HOST, ResourceID | SA_FSAA_Resources | HOST, ID | CASCADE | +| FK_SA_FSAA_FileTags_ResourceID | SA_FSAA_FileTags | HOST, ResourceID | SA_FSAA_Resources | HOST, ID | CASCADE | +| FK_SA_FSAA_FileTags_TagProxyID | SA_FSAA_FileTags | HOST, TagProxyID | SA_FSAA_TagKeys | HOST, TagProxyID | NO ACTION | +| FK_SA_FSAC_ProcessNames_HOST | SA_FSAC_ProcessNames | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAC_ActivityEvents_HOST | SA_FSAC_ActivityEvents | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAC_ActivityEvents_PathID | SA_FSAC_ActivityEvents | HOST, PathID | SA_FSAA_Resources | HOST, ID | NO ACTION | +| FK_SA_FSAC_ActivityEvents_ProcessID | SA_FSAC_ActivityEvents | HOST, ProcessID | SA_FSAC_ProcessNames | HOST, ID | NO ACTION | +| FK_SA_FSAC_ActivityEvents_TrusteeID | SA_FSAC_ActivityEvents | HOST, TrusteeID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAC_PermissionChanges_HOST | SA_FSAC_PermissionChanges | HOST | SA_FSAA_Hosts | ID | NO ACTION | +| FK_SA_FSAC_PermissionChanges_ActivityID | SA_FSAC_PermissionChanges | HOST, ActivityID | SA_FSAC_ActivityEvents | HOST, ID | NO ACTION | +| FK_SA_FSAC_PermissionChanges_TrusteeID | SA_FSAC_PermissionChanges | HOST, TrusteeID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAC_OwnerChanges_HOST | SA_FSAC_OwnerChanges | HOST | SA_FSAA_Hosts | ID | NO ACTION | +| FK_SA_FSAC_OwnerChanges_ActivityID | SA_FSAC_OwnerChanges | HOST, ActivityID | SA_FSAC_ActivityEvents | HOST, ID | NO ACTION | +| FK_SA_FSAC_OwnerChanges_PreviousOwnerID | SA_FSAC_OwnerChanges | HOST, PreviousOwnerID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAC_OwnerChanges_NewOwnerID | SA_FSAC_OwnerChanges | HOST, NewOwnerID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAC_DailyActivity_HOST | SA_FSAC_DailyActivity | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAC_DailyActivity_FolderID | SA_FSAC_DailyActivity | HOST, FolderID | SA_FSAA_Resources | HOST, ID | NO ACTION | +| FK_SA_FSAC_DailyActivity_TrusteeID | SA_FSAC_DailyActivity | HOST, TrusteeID | SA_FSAA_Trustees | HOST, ID | NO ACTION | +| FK_SA_FSAC_RenameTargets_HOST | SA_FSAC_RenameTargets | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSAC_RenameTargets_ActivityID | SA_FSAC_RenameTargets | HOST, ActivityID | SA_FSAC_ActivityEvents | HOST, ID | NO ACTION | +| FK_SA_FSAC_RenameTargets_TargetPathID | SA_FSAC_RenameTargets | HOST, TargetPathID | SA_FSAA_Resources | HOST, ID | NO ACTION | +| FK_SA_FSDLP_ImportHistory_HOST | SA_FSDLP_ImportHistory | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSDLP_Criteria_HOST | SA_FSDLP_Criteria | HOST | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSDLP_Matches_CriteriaId | SA_FSDLP_Matches | HOST, CriteriaId | SA_FSDLP_Criteria | HOST, ID | CASCADE | +| FK_SA_FSDLP_MatchHits_Match | SA_FSDLP_MatchHits | HOST, FileId, CriteriaId | SA_FSDLP_Matches | HOST, FileId, CriteriaId | CASCADE | +| FK_SA_FSDLP_MatchHits_SubjectProfile | SA_FSDLP_MatchHits_SubjectProfile | HOST, FileId, CriteriaId, ID | SA_FSDLP_MatchHits | HOST, FileId, CriteriaId, ID | CASCADE | +| FK_SA_FSDLP_MatchHits_SubjectProfile_Source | SA_FSDLP_MatchHits_SubjectProfile | SourceId | SA_SubjectProfile_Sources | Id | NO ACTION | +| FK_SA_FSDLP_MatchHits_SubjectProfile_Identity | SA_FSDLP_MatchHits_SubjectProfile | IdentityId | SA_SubjectProfile_Identities | Id | NO ACTION | +| FK_SA_FSDLP_MatchHits_SubjectProfile_Attribute | SA_FSDLP_MatchHits_SubjectProfile | IdentityId, AttributeId, Order | SA_SubjectProfile_AttributeValues | IdentityId, AttributeId, Order | CASCADE | +| FK_SA_FSDFS_Namespaces_Hosts | SA_FSDFS_Namespaces | RootHostID | SA_FSAA_Hosts | ID | CASCADE | +| FK_SA_FSDFS_Namespaces_GateID | SA_FSDFS_Namespaces | RootHostID, RootGateID | SA_FSAA_Gates | HOST, ID | NO ACTION | +| FK_SA_FSDFS_Links_NamespaceID | SA_FSDFS_Links | NamespaceID | SA_FSDFS_Namespaces | ID | CASCADE | +| FK_SA_FSDFS_Links_TargetHostID | SA_FSDFS_Links | TargetHostID | SA_FSAA_Hosts | ID | NO ACTION | +| FK_SA_FSDFS_Links_TargetGateID | SA_FSDFS_Links | TargetHostID, TargetGateID | SA_FSAA_Gates | HOST, ID | NO ACTION | +| FK_SA_FSDFS_Links_TargetResourceID | SA_FSDFS_Links | TargetHostID, TargetResourceID | SA_FSAA_Resources | HOST, ID | NO ACTION | +| FK_SA_FSDFS_Links_DfsResourceID | SA_FSDFS_Links | DfsHostID, DfsResourceID | SA_FSAA_Resources | HOST, ID | NO ACTION | diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/functions/_category_.json b/docs/accessanalyzer/11.6/admin/schema/fsaadc/functions/_category_.json new file mode 100644 index 0000000000..7b82af05dc --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/functions/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Functions & Stored Procedures", + "position": 50, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/functions/overview.md b/docs/accessanalyzer/11.6/admin/schema/fsaadc/functions/overview.md new file mode 100644 index 0000000000..7c9cdbc963 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/functions/overview.md @@ -0,0 +1,229 @@ +# Functions & Stored Procedures + +All functions and procedures live in the `dbo` schema. Most of the table-valued functions are inline (UDFs) and are joined into views with `CROSS APPLY` / `OUTER APPLY`. Two cross-database UDF table types — `SA_CORE_GroupMemberPathTable` and `SA_CORE_GroupMembersTable` — are used as `READONLY` table-valued parameters; both come from the `SA_CORE_*` shared schema (created elsewhere). + +--- + +## FSAA Functions + +### SA_FSAA_GetPath {#sa_fsaa_getpath} + +**Signature:** `(@serverID INT, @resourceID BIGINT) RETURNS NVARCHAR(4000)` + +**Type:** Scalar function + +**Description:** Walks the parent chain in `SA_FSAA_Resources` and concatenates names with the appropriate delimiter (`/` for Unix resources of type 5/6, `\` for everything else) to produce the full resource path. Returns NULL if the resource is not found. + +--- + +### SA_FSAA_GetTrusteeMembership {#sa_fsaa_gettrusteemembership} + +**Signature:** `(@serverID INT, @objectSID VARCHAR(184), @trusteeType INT, @groupPath SA_CORE_GroupMemberPathTable READONLY, @directlyApplied INT = 0, @membershipOverride SA_CORE_GroupMembersTable READONLY) RETURNS @effectiveMembers TABLE (NTDomain, NTName, DisplayName, ObjectSID, TrusteeType)` + +**Type:** Multi-statement table-valued function + +**Description:** Recursively expands a group/principal into its effective members. Handles well-known SIDs specially (`S-1-5-2 NETWORK`, `S-1-5-3 BATCH`, `S-1-5-4 INTERACTIVE`, `S-1-5-6 SERVICE`, `S-1-5-13 TERMINAL SERVER USER`, `S-1-5-14 REMOTE INTERACTIVE LOGON`, `S-1-2-0 LOCAL`) by routing through `SA_FSAA_GetPolicyMembership`. Domain groups are expanded via `SA_CORE_GetDomainGroupMembershipEx` or `SA_ADInventory_GroupMembersView`. Local groups are expanded via `SA_FSAA_GetLocalGroupMembership`. The `@groupPath` parameter prevents infinite recursion. + +--- + +### SA_FSAA_IsTrusteeMember {#sa_fsaa_istrusteemember} + +**Signature:** `(@serverID INT, @trusteeSID VARCHAR(184), @trusteeDomain NVARCHAR(256), @trusteeType INT, @groupSID VARCHAR(184), @groupDomain NVARCHAR(256), @groupType INT, @directlyApplied INT) RETURNS INT` + +**Type:** Scalar function + +**Description:** Returns 1 if the trustee is a (recursive) member of the group, else 0. Encodes well-known fast paths for `Everyone (S-1-1-0)`, `Authenticated Users (S-1-5-11)` (excluding Guest, Anonymous, and Domain Computers), and `Domain Users (S-1-5-21-...-513)`. Falls back to `SA_FSAA_GetTrusteeMembership` when the relationship cannot be answered by a fast path. + +--- + +### SA_FSAA_RecurseFolders {#sa_fsaa_recursefolders} + +**Signature:** `(@serverID INT, @resourceID BIGINT) RETURNS TABLE (ID, NestedLevel, ResourceType, DeletedUSN)` + +**Type:** Inline table-valued function (recursive CTE) + +**Description:** Returns every descendant of the given resource (used for subtree aggregation queries). + +--- + +### SA_FSAA_WalkTrusteePath {#sa_fsaa_walktrusteepath} + +**Signature:** `(@serverID INT, @trusteeType INT, @trusteeSID VARCHAR(184), @trusteeDomain NVARCHAR(256), @trusteeDisplay NVARCHAR(256), @groupSID VARCHAR(184), @groupType INT, @groupDomain NVARCHAR(256), @groupName NVARCHAR(256), @pathString NVARCHAR(1024), ...) RETURNS TABLE` + +**Type:** Inline table-valued function + +**Description:** Helper that walks an effective-membership path and accumulates the membership chain into a textual breadcrumb (`group → subgroup → user`). + +--- + +### SA_FSAA_GetTrusteeInformationEx {#sa_fsaa_gettrusteeinformationex} + +**Signature:** `(@serverID INT, @trusteeID INT, @objectSID VARCHAR(184), @trusteeType SMALLINT) RETURNS TABLE (NTDomain, NTName, DisplayName, TrusteeType, IsHistoricalSID, PrincipalId)` + +**Type:** Inline table-valued function + +**Description:** Returns a single row of trustee identity. For local trustees the values come from `SA_FSAA_LocalTrustees`; for domain trustees they come from the AD inventory's `SA_ADInventory_*` tables matched by SID (handling SID History when `IsHistoricalSID = 1`). The function does not project the SID — callers pass it in via `@objectSID` and the wrapper `SA_FSAA_GetTrusteeInformation` re-emits it from `SA_FSAA_Trustees`. + +--- + +### SA_FSAA_GetTrusteeInformation {#sa_fsaa_gettrusteeinformation} + +**Signature:** `(@serverID INT, @trusteeID INT) RETURNS TABLE (NTDomain, NTName, DisplayName, SID, TrusteeType, IsHistoricalSID, PrincipalId)` + +**Type:** Inline table-valued function + +**Description:** Wrapper around `SA_FSAA_GetTrusteeInformationEx` that pulls the SID and `TrusteeType` from `SA_FSAA_Trustees` first. + +--- + +### SA_FSAA_GetResourcePermissions {#sa_fsaa_getresourcepermissions} + +**Signature:** `(@serverID INT, @resourceID BIGINT) RETURNS TABLE (AllowRights, DenyRights, AllowMask, DenyMask, TrusteeID, NTDomain, NTName, DisplayName, SID, TrusteeType)` + +**Type:** Inline table-valued function + +**Description:** Joins `Resources → Rights → LocalTrustees` and returns the ACL of the resource as a flat table (one row per ACE). + +--- + +### SA_FSAA_GetGatePermissions {#sa_fsaa_getgatepermissions} + +**Signature:** `(@serverID INT, @gateID INT) RETURNS TABLE (AllowRights, DenyRights, TrusteeID, NTDomain, NTName, DisplayName, SID, TrusteeType)` + +**Type:** Inline table-valued function + +**Description:** Returns the share-level permissions for a gate. Computes the synthetic Allow/Deny bits by `b.Allow * -63` (turn the boolean into the full 6-bit `LRWDMA` mask). + +--- + +### SA_FSAA_GetExpandedPermissions {#sa_fsaa_getexpandedpermissions} + +**Signature:** `(@serverID INT, @resourceID BIGINT, @ispolicy BIT, @membershipOverride SA_CORE_GroupMembersTable READONLY) RETURNS @expandedRights TABLE (AllowRights, DenyRights, ...trustee columns...)` + +**Type:** Multi-statement table-valued function + +**Description:** Takes a resource's ACL and recursively expands every group ACE into per-leaf-trustee entries via `SA_FSAA_GetTrusteeMembership`. Used by `SA_FSAA_ExpandedPermissionsView`. + +--- + +### SA_FSAA_GetExpandedPermissionsEx {#sa_fsaa_getexpandedpermissionsex} + +**Signature:** `(@serverID INT, @resourceID BIGINT, @ispolicy INT, @trusteeFilter SA_CORE_TrusteeInformationTable READONLY, @membershipOverride SA_CORE_GroupMembersTable READONLY) RETURNS @expandedRights TABLE (...)` + +**Type:** Multi-statement table-valued function + +**Description:** Same as `SA_FSAA_GetExpandedPermissions` but pre-filtered to only the trustees in `@trusteeFilter` (significantly faster when caller cares about a specific user). + +--- + +### SA_FSAA_GetPolicyMembership {#sa_fsaa_getpolicymembership} + +**Signature:** `(@serverID INT, @policyID INT, @groupPath SA_CORE_GroupMemberPathTable READONLY, @directlyApplied INT = 0, @membershipOverride SA_CORE_GroupMembersTable READONLY) RETURNS @effectiveMembers TABLE (...)` + +**Type:** Multi-statement table-valued function + +**Description:** Resolves the trustees of a local-policy gate (for example, *Logon Interactively*). Reads `SA_FSAA_Policies` and recursively expands each policy member. + +--- + +### SA_FSAA_GetLocalGroupMembership {#sa_fsaa_getlocalgroupmembership} + +**Signature:** `(@serverID INT, @objectSID VARCHAR(184), @groupPath SA_CORE_GroupMemberPathTable READONLY, @directlyApplied INT = 0, @membershipOverride SA_CORE_GroupMembersTable READONLY) RETURNS @effectiveMembers TABLE (NTDomain, NTName, DisplayName, ObjectSID, TrusteeType, IsDirect BIT NOT NULL)` + +**Type:** Multi-statement table-valued function + +**Description:** Walks `SA_FSAA_TrusteeEquivalence` for the given local group and recursively expands each equivalent trustee. Unlike the sibling membership UDFs, the return-table includes an extra `IsDirect BIT` column flagging directly-applied vs. transitively-resolved members. + +--- + +### SA_FSAA_GetEffectiveRights {#sa_fsaa_geteffectiverights} + +**Signature:** `(@serverID INT, @resourceID BIGINT, @gateID INT, @directlyApplied INT, @membershipOverride SA_CORE_GroupMembersTable READONLY) RETURNS @effectiveRights TABLE (AllowRights, DenyRights, ...trustee columns..., DirectTrustee BIT)` + +**Type:** Multi-statement table-valued function + +**Description:** Computes the *effective* allow/deny bits for every leaf trustee that can reach the resource through the gate. This is the heaviest UDF in the schema — it composes share permissions, NTFS permissions, group membership expansion, and domain inventory data. Used by `SA_FSAA_EffectiveAccessView`. + +--- + +### SA_FSAA_GetEffectiveRightsEx {#sa_fsaa_geteffectiverightsex} + +**Signature:** `(@serverID INT, @resourceID BIGINT, @gateID INT, @trusteeFilter SA_CORE_TrusteeInformationTable READONLY, @membershipOverride SA_CORE_GroupMembersTable READONLY) RETURNS @effectiveRights TABLE (...)` + +**Type:** Multi-statement table-valued function + +**Description:** Same as `SA_FSAA_GetEffectiveRights` but filtered to a specific set of trustees. + +--- + +### SA_FSAA_GetTrusteePermissionSource {#sa_fsaa_gettrusteepermissionsource} + +**Signature:** `(@serverID INT, @resourceID BIGINT, @gateID INT, @trusteeSID VARCHAR(184)) RETURNS @permissionSource TABLE (HOST VARCHAR(64) NOT NULL, AllowRights, DenyRights, AllowRightsDescription, ...)` + +**Type:** Multi-statement table-valued function + +**Description:** Given a resource, gate, and trustee SID, returns the *source* ACEs that contribute to that trustee's effective rights — useful for "who granted this user access?" diagnostic UI. + +--- + +### SA_FSAA_LookupResourcePath {#sa_fsaa_lookupresourcepath} + +**Signature:** `(@serverID INT, @path NVARCHAR(1024)) RETURNS BIGINT` + +**Type:** Scalar function + +**Description:** Resolves a backslash-delimited path string against the resource tree for a host and returns the matching `SA_FSAA_Resources.ID`, or NULL if no match. + +--- + +### SA_FSAA_LookupUncPath {#sa_fsaa_lookupuncpath} + +**Signature:** `(@path NVARCHAR(1024)) RETURNS @results TABLE (HostID INT NOT NULL, HostName NVARCHAR(256) NOT NULL, GateID INT NOT NULL, ResourceID BIGINT NULL, ShareName NVARCHAR(256) NOT NULL, FolderPath NVARCHAR(1024) NOT NULL)` + +**Type:** Multi-statement table-valued function + +**Description:** Parses a UNC path (`\\server\share\path`) and returns the matching host, gate, and resource, plus the parsed `ShareName` and the folder path beneath the share. Used to map paths captured in DLP / Activity tables back into the FSAA structural keyspace. + +--- + +### SA_FSAA_UpdateStatistics {#sa_fsaa_updatestatistics} + +**Signature:** `()` + +**Type:** Stored procedure (no parameters) + +**Description:** Runs `UPDATE STATISTICS` on the FSAA tables. Invoked by the structural-import job after a bulk import to keep the SQL Server query optimizer's row-count estimates current. Long-running on large data sets. + +--- + +## Activity Collector Functions (SA_FSAC_*) {#activity-collector-functions-sa_fsac_} + +### SA_FSAC_GetActiveFolderPermissions {#sa_fsac_getactivefolderpermissions} + +**Signature:** `(@serverID INT, @resourceID BIGINT, @activityDays INT) RETURNS @results TABLE (AllowRights, ActiveRights, AllowRightsDescription, ActiveRightsDescription, TrusteeID, NTDomain, NTName, DisplayName, ObjectSID, TrusteeType)` + +**Type:** Multi-statement table-valued function + +**Description:** For a given resource and a recent activity window (`@activityDays`), returns each trustee's `AllowRights` (statically granted) alongside `ActiveRights` (the subset of those rights the trustee has actually exercised). The "active" mask is computed by walking the resource's subtree of recent daily activity through `SA_FSAC_GetFolderActivityMask`, then ANDing it with the granted rights — so it shows what each user is *using*, not just what they *can* use. Drives the *Least Privileged Access* report. + +--- + +### SA_FSAC_GetFolderActivityMask {#sa_fsac_getfolderactivitymask} + +**Signature:** `(@serverID INT, @resourceID BIGINT, @activityDays INT) RETURNS @results TABLE (ActiveRights, ActiveRightsDescription, TrusteeID, NTDomain, NTName, DisplayName, ObjectSID, TrusteeType)` + +**Type:** Multi-statement table-valued function + +**Description:** Translates a user's recent activity (within `@activityDays` days) on a folder subtree into the equivalent rights bitmask. Each operation type maps to a specific right (Read → R, Add/Update/Rename → W, Delete → D, PermissionChange → M); any activity at all also implies List (L). Returns one row per user with the consolidated `ActiveRights` mask and identity columns from `SA_FSAA_GetTrusteeInformation`. + +--- + +## DFS Functions (SA_FSDFS_*) {#dfs-functions-sa_fsdfs_} + +### SA_FSDFS_LookupDfsPath {#sa_fsdfs_lookupdfsepath} + +**Signature:** `(@path NVARCHAR(1024)) RETURNS @values TABLE (TargetHostID INT NULL, TargetGateID INT NULL, TargetResourceID BIGINT NULL, TargetFolderPath NVARCHAR(1024) NOT NULL)` + +**Type:** Multi-statement table-valued function + +**Description:** Resolves a DFS-style path (for example, `\\contoso.com\public\sales\reports`) by walking `SA_FSDFS_Links` to find the matching link and returning the underlying physical target — the host, gate, resource, and remaining sub-folder path beneath the link. Used to translate DFS-relative report rows back into FSAA structural identifiers. diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/indexreference/_category_.json b/docs/accessanalyzer/11.6/admin/schema/fsaadc/indexreference/_category_.json new file mode 100644 index 0000000000..4e9158bae9 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/indexreference/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Index Reference", + "position": 60, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/indexreference/overview.md b/docs/accessanalyzer/11.6/admin/schema/fsaadc/indexreference/overview.md new file mode 100644 index 0000000000..50b81af771 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/indexreference/overview.md @@ -0,0 +1,62 @@ +# Index Reference + +## Complete Index Listing + +| Table | Index Name | Type | Unique | Columns | +|---|---|---|---|---| +| SA_FSAA_Hosts | PK_SA_FSAA_Hosts | CLUSTERED | Yes | ID | +| SA_FSAA_Hosts | UQ_SA_FSAA_Hosts_HOST | UNIQUE | Yes | HOST | +| SA_FSAA_ImportHistory | PK_SA_FSAA_ImportHistory | CLUSTERED | Yes | HOST, ImportTime | +| SA_FSAA_Trustees | PK_SA_FSAA_Trustees | CLUSTERED | Yes | HOST, ID | +| SA_FSAA_LocalTrustees | PK_SA_FSAA_LocalTrustees | CLUSTERED | Yes | HOST, ID | +| SA_FSAA_TrusteeEquivalence | PK_SA_FSAA_TrusteeEquivalence | CLUSTERED | Yes | HOST, TrusteeID, EquivalentTrusteeID | +| SA_FSAA_TrusteeEquivalence | SA_FSAA_TrusteeEquivalence_Group_IDX | NONCLUSTERED | No | HOST, EquivalentTrusteeID, TrusteeID (INCLUDE) | +| SA_FSAA_Rights | PK_SA_FSAA_Rights | CLUSTERED | Yes | HOST, RightsProxyID, TrusteeID | +| SA_FSAA_Tags | PK_SA_FSAA_Tags | CLUSTERED | Yes | HOST, TagID | +| SA_FSAA_TagKeys | PK_SA_FSAA_TagKeys | CLUSTERED | Yes | HOST, TagProxyID | +| SA_FSAA_TagProxies | PK_SA_FSAA_TagProxies | CLUSTERED | Yes | HOST, TagProxyID, TagID | +| SA_FSAA_Resources | PK_SA_FSAA_Resources | CLUSTERED | Yes | HOST, ID | +| SA_FSAA_Resources | SA_FSAA_Resources_Enum_IDX | NONCLUSTERED | No | HOST, ParentResourceID, ID, ResourceType, DeletedUSN (INCLUDE) | +| SA_FSAA_Resources | SA_FSAA_Resources_RightsProxyID_IDX | NONCLUSTERED | No | HOST, RightsProxyID, ID, GatesProxyID, DeletedUSN, ResourceType (INCLUDE) | +| SA_FSAA_Resources | SA_FSAA_Resources_GatesProxyID_IDX | NONCLUSTERED | No | HOST, GatesProxyID, ID (INCLUDE) | +| SA_FSAA_Resources | SA_FSAA_Resources_USN_IDX | NONCLUSTERED | No | HOST, USN, ID (INCLUDE) | +| SA_FSAA_Resources | SA_FSAA_Resources_ParentResourceID_Name_IDX | NONCLUSTERED | No | HOST, ParentResourceID, Name | +| SA_FSAA_UnixRights | PK_SA_FSAA_UnixRights | CLUSTERED | Yes | HOST, ResourceID | +| SA_FSAA_Gates | PK_SA_FSAA_Gates | CLUSTERED | Yes | HOST, ID | +| SA_FSAA_GatesProxy | PK_SA_FSAA_GatesProxy | CLUSTERED | Yes | HOST, ID, GateID | +| SA_FSAA_GatesProxy | SA_FSAA_GatesProxy_GateID_IDX | NONCLUSTERED | No | HOST, GateID, ID (INCLUDE) | +| SA_FSAA_Policies | PK_SA_FSAA_Policies | CLUSTERED | Yes | HOST, PolicyID, TrusteeID | +| SA_FSAA_Exceptions | PK_SA_FSAA_Exceptions | CLUSTERED | Yes | HOST, ID | +| SA_FSAA_Exceptions | SA_FSAA_Exceptions_Resource_IDX | NONCLUSTERED | No | HOST, ResourceID, ExceptionType, GateID (INCLUDE) | +| SA_FSAA_ExceptionTypes | PK_SA_FSAA_ExceptionTypes | CLUSTERED | Yes | HOST, ExceptionType | +| SA_FSAA_ProbableOwners | PK_SA_FSAA_ProbableOwners | CLUSTERED | Yes | HOST, ResourceID, OwnerID | +| SA_FSAA_FileSizes | PK_SA_FSAA_FileSizes | CLUSTERED | Yes | HOST, ResourceID | +| SA_FSAA_FileTypes | PK_SA_FSAA_FileTypes | CLUSTERED | Yes | HOST, ResourceID, Extension | +| SA_FSAA_FileAges | PK_SA_FSAA_FileAges | CLUSTERED | Yes | HOST, ResourceID | +| SA_FSAA_FileTags | PK_SA_FSAA_FileTags | CLUSTERED | Yes | HOST, ResourceID, TagProxyID | +| SA_FSAC_ProcessNames | PK_SA_FSAC_ProcessNames | CLUSTERED | Yes | HOST, ID | +| SA_FSAC_ActivityEvents | PK_SA_FSAC_ActivityEvents | CLUSTERED | Yes | HOST, ID | +| SA_FSAC_ActivityEvents | SA_FSAC_ActivityEvents_PathID_IDX | NONCLUSTERED | No | HOST, PathID, ID, AccessTime, TrusteeID, Operation, Allow (INCLUDE) | +| SA_FSAC_ActivityEvents | SA_FSAC_ActivityEvents_TrusteeID_IDX | NONCLUSTERED | No | TrusteeID, AccessTime, PathID, ProcessID, Operation, Allow (INCLUDE) | +| SA_FSAC_PermissionChanges | PK_SA_FSAC_PermissionChanges | CLUSTERED | Yes | HOST, ActivityID, ChangeID | +| SA_FSAC_OwnerChanges | PK_SA_FSAC_OwnerChanges | CLUSTERED | Yes | HOST, ActivityID | +| SA_FSAC_RenameTargets | PK_SA_FSAC_RenameTargets | CLUSTERED | Yes | HOST, ActivityID | +| SA_FSAC_DailyActivity | PK_SA_FSAC_DailyActivity | CLUSTERED | Yes | HOST, FolderID, ActivityDate, TrusteeID, Operation, Allow | +| SA_FSAC_ExceptionTypes | PK_SA_FSAC_ExceptionTypes | CLUSTERED | Yes | HOST, ExceptionType | +| SA_FSAC_Exceptions | PK_SA_FSAC_Exceptions | CLUSTERED | Yes | HOST, ID | +| SA_FSAC_Exceptions | SA_FSAC_Exceptions_ResourceID_IDX | NONCLUSTERED | No | HOST, ResourceID, GateID (INCLUDE) | +| SA_FSAC_UserExceptionTypes | PK_SA_FSAC_UserExceptionTypes | CLUSTERED | Yes | SID, ExceptionType | +| SA_FSAC_UserExceptions | PK_SA_FSAC_UserExceptions | CLUSTERED | Yes | ID | +| SA_FSDLP_ImportHistory | PK_SA_FSDLP_ImportHistory | CLUSTERED | Yes | HOST, USN | +| SA_FSDLP_Criteria | PK_SA_FSDLP_Criteria | CLUSTERED | Yes | HOST, ID | +| SA_FSDLP_Matches | PK_SA_FSDLP_Matches | CLUSTERED | Yes | HOST, FileId, CriteriaId | +| SA_FSDLP_MatchHits | PK_SA_FSDLP_MatchHits | CLUSTERED | Yes | HOST, FileId, CriteriaId, ID | +| SA_FSDLP_MatchHits_SubjectProfile | PK_SA_FSDLP_MatchHits_SubjectProfile | CLUSTERED | Yes | HOST, FileId, CriteriaId, ID | +| SA_FSDLP_MatchHits_SubjectProfile | SA_FSDLP_MatchHits_SubjectProfile_Source_IDX | NONCLUSTERED | No | SourceId | +| SA_FSDLP_MatchHits_SubjectProfile | SA_FSDLP_MatchHits_SubjectProfile_Identity_IDX | NONCLUSTERED | No | IdentityId | +| SA_FSDFS_Namespaces | PK_SA_FSDFS_Namespaces | CLUSTERED | Yes | ID | +| SA_FSDFS_Links | PK_SA_FSDFS_Links | CLUSTERED | Yes | HOST, ID | +| SA_FSDFS_Links | UQ_FSDFS_Links_DfsPath | UNIQUE | Yes | DfsPath, NamespaceID | +| SA_FSDFS_Links | SA_FSDFS_Links_GateID_IDX | NONCLUSTERED | No | TargetHostID, TargetGateID | + +`SA_FSAA_SchemaVer` and `SA_FSAA_ScanHistory` carry no indexes. diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/overview.md b/docs/accessanalyzer/11.6/admin/schema/fsaadc/overview.md new file mode 100644 index 0000000000..686880a91b --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/overview.md @@ -0,0 +1,158 @@ +# File System Access Data Collector Schema + +## Overview + +This is a comprehensive schema documentation for the **NAA 11.6 File System Access Data Collector (FSAA)**. The FSAA data collector audits Windows and NFS file systems for permissions, ownership, content, activity, and sensitive-data classification. FSAA scans Windows servers, NetApp / EMC / Dell filers, and Linux/Unix hosts; normalizes the security model into a unified per-host identity space; and writes the results to the central database. + +This documentation covers four collector modules that share one schema: + +- **`SA_FSAA_`** — File System Access Analyzer: file / folder / share inventory, NTFS and share permissions, file-content statistics (sizing, types, ages), ownership, and tags. +- **`SA_FSAC_`** — File System Activity Collector: file-system audit events (read / add / update / delete / permission-change / rename), aggregated daily activity, permission-change details, and exception detection. +- **`SA_FSDLP_`** — Sensitive Data / Data Loss Prevention: detected matches against DLP criteria, with per-match excerpts and subject-profile linkage. +- **`SA_FSDFS_`** — DFS Namespace mapping: DFS namespaces and links, plus the mapping from DFS paths to the underlying physical shares. + +### Data model overview + +Every core data table is **partitioned by host**: each table has a `HOST INT` column that is a foreign key to `SA_FSAA_Hosts.ID` with `ON DELETE CASCADE`. Removing a host from `SA_FSAA_Hosts` therefore atomically purges every collected row for that host across all four modules (FSAA, FSAC, FSDLP, DFS). + +Within a host, the canonical secondary keys are: + +- **Resources** — folders / files / shares — keyed by `bigint ID` (table `SA_FSAA_Resources`). +- **Trustees** — security principals seen in ACLs — keyed by `int ID` (table `SA_FSAA_Trustees`). +- **Gates** — entry points such as SMB shares and NFS exports — keyed by `int ID` (table `SA_FSAA_Gates`). +- **RightsProxyID** — a shared dedup key on `SA_FSAA_Rights` so that many resources sharing identical ACLs all reference one set of permission rows. +- **GatesProxyID** — analogous dedup pointer from a resource to the gates that grant access to it. +- **TagProxyID** — analogous dedup pointer from a resource to its set of file tags. + +### Cross-module integration + +`SA_FSAA_Resources` carries `AccessID`, `ActivityID`, and `DLPID` columns that link a resource into its corresponding rows in the Activity (FSAC) and DLP (FSDLP) tables. Reports that combine permissions, activity, and sensitive-data findings — for example the *Open Access* and *Least Privileged Access* reports — join across those columns. + +--- + +### [Table Relationship Diagrams (ERD)](erd/overview.md) + - [Top-level partitioning](erd/overview.md#top-level-partitioning) + - [Trustees](erd/overview.md#trustees) + - [Resources & content aggregations](erd/overview.md#resources--content-aggregations) + - [Gates and permissions](erd/overview.md#gates-and-permissions) + - [Tags](erd/overview.md#tags) + - [Exceptions](erd/overview.md#exceptions) + - [Activity collection](erd/overview.md#activity-collection) + - [Sensitive data](erd/overview.md#sensitive-data) + - [DFS namespaces](erd/overview.md#dfs-namespaces) + +### [Core Data Collection Tables](coretables/overview.md) +#### [FSAA Tables](coretables/overview.md#fsaa-tables) + - [SA_FSAA_SchemaVer](coretables/overview.md#sa_fsaa_schemaver) + - [SA_FSAA_Hosts](coretables/overview.md#sa_fsaa_hosts) + - [SA_FSAA_ImportHistory](coretables/overview.md#sa_fsaa_importhistory) + - [SA_FSAA_Trustees](coretables/overview.md#sa_fsaa_trustees) + - [SA_FSAA_LocalTrustees](coretables/overview.md#sa_fsaa_localtrustees) + - [SA_FSAA_TrusteeEquivalence](coretables/overview.md#sa_fsaa_trusteeequivalence) + - [SA_FSAA_Rights](coretables/overview.md#sa_fsaa_rights) + - [SA_FSAA_Tags](coretables/overview.md#sa_fsaa_tags) + - [SA_FSAA_TagKeys](coretables/overview.md#sa_fsaa_tagkeys) + - [SA_FSAA_TagProxies](coretables/overview.md#sa_fsaa_tagproxies) + - [SA_FSAA_Resources](coretables/overview.md#sa_fsaa_resources) + - [SA_FSAA_UnixRights](coretables/overview.md#sa_fsaa_unixrights) + - [SA_FSAA_Gates](coretables/overview.md#sa_fsaa_gates) + - [SA_FSAA_GatesProxy](coretables/overview.md#sa_fsaa_gatesproxy) + - [SA_FSAA_Policies](coretables/overview.md#sa_fsaa_policies) + - [SA_FSAA_Exceptions](coretables/overview.md#sa_fsaa_exceptions) + - [SA_FSAA_ExceptionTypes](coretables/overview.md#sa_fsaa_exceptiontypes) + - [SA_FSAA_ProbableOwners](coretables/overview.md#sa_fsaa_probableowners) + - [SA_FSAA_FileSizes](coretables/overview.md#sa_fsaa_filesizes) + - [SA_FSAA_FileTypes](coretables/overview.md#sa_fsaa_filetypes) + - [SA_FSAA_FileAges](coretables/overview.md#sa_fsaa_fileages) + - [SA_FSAA_FileTags](coretables/overview.md#sa_fsaa_filetags) + - [SA_FSAA_ScanHistory](coretables/overview.md#sa_fsaa_scanhistory) + +#### [Activity Collector Tables (SA_FSAC_*)](coretables/overview.md#activity-collector-tables-sa_fsac_) + - [SA_FSAC_ProcessNames](coretables/overview.md#sa_fsac_processnames) + - [SA_FSAC_ActivityEvents](coretables/overview.md#sa_fsac_activityevents) + - [SA_FSAC_PermissionChanges](coretables/overview.md#sa_fsac_permissionchanges) + - [SA_FSAC_OwnerChanges](coretables/overview.md#sa_fsac_ownerchanges) + - [SA_FSAC_DailyActivity](coretables/overview.md#sa_fsac_dailyactivity) + - [SA_FSAC_RenameTargets](coretables/overview.md#sa_fsac_renametargets) + - [SA_FSAC_ExceptionTypes](coretables/overview.md#sa_fsac_exceptiontypes) + - [SA_FSAC_Exceptions](coretables/overview.md#sa_fsac_exceptions) + - [SA_FSAC_UserExceptionTypes](coretables/overview.md#sa_fsac_userexceptiontypes) + - [SA_FSAC_UserExceptions](coretables/overview.md#sa_fsac_userexceptions) + +#### [Sensitive Data Tables (SA_FSDLP_*)](coretables/overview.md#sensitive-data-tables-sa_fsdlp_) + - [SA_FSDLP_ImportHistory](coretables/overview.md#sa_fsdlp_importhistory) + - [SA_FSDLP_Criteria](coretables/overview.md#sa_fsdlp_criteria) + - [SA_FSDLP_Matches](coretables/overview.md#sa_fsdlp_matches) + - [SA_FSDLP_MatchHits](coretables/overview.md#sa_fsdlp_matchhits) + - [SA_FSDLP_MatchHits_SubjectProfile](coretables/overview.md#sa_fsdlp_matchhits_subjectprofile) + +#### [DFS Namespace Tables (SA_FSDFS_*)](coretables/overview.md#dfs-namespace-tables-sa_fsdfs_) + - [SA_FSDFS_Namespaces](coretables/overview.md#sa_fsdfs_namespaces) + - [SA_FSDFS_Links](coretables/overview.md#sa_fsdfs_links) + +### [Views](views/overview.md) +#### [FSAA Views](views/overview.md#fsaa-views) + - [SA_FSAA_Paths](views/overview.md#sa_fsaa_paths) + - [SA_FSAA_ResourcesView](views/overview.md#sa_fsaa_resourcesview) + - [SA_FSAA_PermissionsView](views/overview.md#sa_fsaa_permissionsview) + - [SA_FSAA_ExpandedPermissionsView](views/overview.md#sa_fsaa_expandedpermissionsview) + - [SA_FSAA_DirectPermissionsView](views/overview.md#sa_fsaa_directpermissionsview) + - [SA_FSAA_InheritedPermissionsView](views/overview.md#sa_fsaa_inheritedpermissionsview) + - [SA_FSAA_SharesTraversalView](views/overview.md#sa_fsaa_sharestraversalview) + - [SA_FSAA_EffectiveAccessView](views/overview.md#sa_fsaa_effectiveaccessview) + - [SA_FSAA_LocalGroupMembersView](views/overview.md#sa_fsaa_localgroupmembersview) + - [SA_FSAA_ExceptionsView](views/overview.md#sa_fsaa_exceptionsview) + +#### [Activity Views (SA_FSAC_*)](views/overview.md#activity-views-sa_fsac_) + - [SA_FSAC_DailyActivityView](views/overview.md#sa_fsac_dailyactivityview) + - [SA_FSAC_DailyUserActivityView](views/overview.md#sa_fsac_dailyuseractivityview) + - [SA_FSAC_DailyResourceActivityView](views/overview.md#sa_fsac_dailyresourceactivityview) + - [SA_FSAC_ActivityEventsView](views/overview.md#sa_fsac_activityeventsview) + - [SA_FSAC_ExceptionsView](views/overview.md#sa_fsac_exceptionsview) + - [SA_FSAC_UserExceptionsView](views/overview.md#sa_fsac_userexceptionsview) + - [SA_FSAC_PermissionChangesView](views/overview.md#sa_fsac_permissionchangesview) + +#### [Sensitive Data Views (SA_FSDLP_*)](views/overview.md#sensitive-data-views-sa_fsdlp_) + - [SA_FSDLP_MatchesView](views/overview.md#sa_fsdlp_matchesview) + - [SA_FSDLP_MatchHitsView](views/overview.md#sa_fsdlp_matchhitsview) + +### [Enumeration & Lookup Values Reference](enumeration/overview.md) + - [TrusteeType](enumeration/overview.md#trusteetype) + - [ResourceType](enumeration/overview.md#resourcetype) + - [GateType](enumeration/overview.md#gatetype) + - [Rights Bitmask](enumeration/overview.md#rights-bitmask) + +### [Functions & Stored Procedures](functions/overview.md) +#### [FSAA Functions](functions/overview.md#fsaa-functions) + - [SA_FSAA_GetPath](functions/overview.md#sa_fsaa_getpath) + - [SA_FSAA_GetTrusteeMembership](functions/overview.md#sa_fsaa_gettrusteemembership) + - [SA_FSAA_IsTrusteeMember](functions/overview.md#sa_fsaa_istrusteemember) + - [SA_FSAA_RecurseFolders](functions/overview.md#sa_fsaa_recursefolders) + - [SA_FSAA_WalkTrusteePath](functions/overview.md#sa_fsaa_walktrusteepath) + - [SA_FSAA_GetTrusteeInformationEx](functions/overview.md#sa_fsaa_gettrusteeinformationex) + - [SA_FSAA_GetTrusteeInformation](functions/overview.md#sa_fsaa_gettrusteeinformation) + - [SA_FSAA_GetResourcePermissions](functions/overview.md#sa_fsaa_getresourcepermissions) + - [SA_FSAA_GetGatePermissions](functions/overview.md#sa_fsaa_getgatepermissions) + - [SA_FSAA_GetExpandedPermissions](functions/overview.md#sa_fsaa_getexpandedpermissions) + - [SA_FSAA_GetExpandedPermissionsEx](functions/overview.md#sa_fsaa_getexpandedpermissionsex) + - [SA_FSAA_GetPolicyMembership](functions/overview.md#sa_fsaa_getpolicymembership) + - [SA_FSAA_GetLocalGroupMembership](functions/overview.md#sa_fsaa_getlocalgroupmembership) + - [SA_FSAA_GetEffectiveRights](functions/overview.md#sa_fsaa_geteffectiverights) + - [SA_FSAA_GetEffectiveRightsEx](functions/overview.md#sa_fsaa_geteffectiverightsex) + - [SA_FSAA_GetTrusteePermissionSource](functions/overview.md#sa_fsaa_gettrusteepermissionsource) + - [SA_FSAA_LookupResourcePath](functions/overview.md#sa_fsaa_lookupresourcepath) + - [SA_FSAA_LookupUncPath](functions/overview.md#sa_fsaa_lookupuncpath) + - [SA_FSAA_UpdateStatistics](functions/overview.md#sa_fsaa_updatestatistics) + +#### [Activity Collector Functions (SA_FSAC_*)](functions/overview.md#activity-collector-functions-sa_fsac_) + - [SA_FSAC_GetActiveFolderPermissions](functions/overview.md#sa_fsac_getactivefolderpermissions) + - [SA_FSAC_GetFolderActivityMask](functions/overview.md#sa_fsac_getfolderactivitymask) + +#### [DFS Functions (SA_FSDFS_*)](functions/overview.md#dfs-functions-sa_fsdfs_) + - [SA_FSDFS_LookupDfsPath](functions/overview.md#sa_fsdfs_lookupdfsepath) + +### [Index Reference](indexreference/overview.md) + - [Complete Index Listing](indexreference/overview.md#complete-index-listing) + +### [Foreign Key Reference](fkreference/overview.md) + - [Complete Foreign Key Listing](fkreference/overview.md#complete-foreign-key-listing) diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/views/_category_.json b/docs/accessanalyzer/11.6/admin/schema/fsaadc/views/_category_.json new file mode 100644 index 0000000000..2c72e59702 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/views/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Views", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/views/overview.md b/docs/accessanalyzer/11.6/admin/schema/fsaadc/views/overview.md new file mode 100644 index 0000000000..dfb327155a --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/views/overview.md @@ -0,0 +1,637 @@ +# Views + +FSAA, FSAC, and FSDLP views provide pre-joined, human-readable projections of the underlying tables. Reports and the FSAA web UI consume these views rather than the raw tables. + +:::note +For views, column sizes are derived from the underlying source columns and the SQL `CASE` expressions in the view definitions; on a populated database the actual `sys.columns.max_length` may differ slightly. Use `EXEC sp_help ''` to inspect a view's exact runtime shape. +::: + +--- + +## FSAA Views + +### SA_FSAA_Paths {#sa_fsaa_paths} + +**Description:** Per-resource path projection. This is a real `CREATE VIEW` that wraps the `SA_FSAA_GetPath` UDF — every read recomputes the path by walking the parent chain in `SA_FSAA_Resources`. (The create-schema script issues a defensive `DROP TABLE` first to clean up any legacy table-form from older builds.) + +**Source:** `SA_FSAA_Resources` (parent-chain walk performed by `SA_FSAA_GetPath` UDF). + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HOST | int | | No | SA_FSAA_Resources.HOST | Host partition | +| ResourceID | bigint | | No | SA_FSAA_Resources.ID | Resource | +| Path | nvarchar | 4000 | Yes | Computed (recursive concat of `SA_FSAA_Resources.Name` up the parent chain) | Full path string | + +--- + +### SA_FSAA_ResourcesView {#sa_fsaa_resourcesview} + +**Description:** Surface view of `SA_FSAA_Resources` enriched with computed full path, resource-type description, and three boolean flags (`PermissionChange`, `InheritedPermission`, `DirectPermission`). + +**Source tables:** `SA_FSAA_Resources`, `SA_FSAA_Hosts`, `SA_FSAA_Rights`. + +**Logic:** Outer-joins `SA_FSAA_Resources` with `SA_FSAA_Hosts`. The three permission booleans are computed via correlated `EXISTS` against `SA_FSAA_Rights`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAA_Resources.HOST | Host ID | +| HostName | nvarchar | 64 | No | SA_FSAA_Hosts.HOST | Host name | +| ID | bigint | | No | SA_FSAA_Resources.ID | Resource ID | +| ParentResourceID | bigint | | Yes | SA_FSAA_Resources.ParentResourceID | Parent resource | +| Name | nvarchar | 2000 | No | SA_FSAA_Resources.Name | Leaf name | +| Path | nvarchar | 4000 | Yes | UDF: SA_FSAA_GetPath | Full path | +| ResourceType | tinyint | | No | SA_FSAA_Resources.ResourceType | See [ResourceType](../enumeration/overview.md#resourcetype) | +| ResourceTypeDescription | varchar | 6 | Yes | Computed (CASE) | `Share`, `Folder`, or `File` | +| OwnerID | int | | Yes | SA_FSAA_Resources.OwnerID | | +| RightsProxyID | int | | Yes | SA_FSAA_Resources.RightsProxyID | | +| GatesProxyID | bigint | | Yes | SA_FSAA_Resources.GatesProxyID | | +| NestedLevel | int | | No | SA_FSAA_Resources.NestedLevel | | +| Size | bigint | | Yes | SA_FSAA_Resources.Size | | +| LastModified | datetime | | Yes | SA_FSAA_Resources.LastModified | | +| LastAccessed | datetime | | Yes | SA_FSAA_Resources.LastAccessed | | +| Created | datetime | | Yes | SA_FSAA_Resources.Created | | +| USN | int | | No | SA_FSAA_Resources.USN | | +| DeletedUSN | int | | Yes | SA_FSAA_Resources.DeletedUSN | | +| PermissionChange | bit | | No | Computed (CASE / EXISTS) | True if ACL differs from parent | +| InheritedPermission | bit | | No | Computed (CASE / EXISTS) | True if any inherited rights exist | +| DirectPermission | bit | | No | Computed (CASE / EXISTS) | True if any direct rights exist | + +--- + +### SA_FSAA_PermissionsView {#sa_fsaa_permissionsview} + +**Description:** Resource × ACE flat view with effective allow/deny rights expanded into 12 boolean columns plus textual `Allow/DenyRightsDescription` (for example, `LRWDMA`) and a `RightsSource` column (`Direct` / `Inherited` / `Both` / `None`). + +**Source tables:** `SA_FSAA_Resources`, `SA_FSAA_Hosts`, `SA_FSAA_Rights`, `SA_FSAA_Trustees`, UDF `SA_FSAA_GetTrusteeInformationEx`. + +**Filter:** `r.RightsProxyID IS NOT NULL` (rows that have an ACL). + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAA_Resources.HOST | Host partition | +| HostName | nvarchar | 64 | Yes | SA_FSAA_Hosts.HOST | Host name | +| ResourceID | bigint | | No | SA_FSAA_Resources.ID | Resource | +| ParentResourceID | bigint | | Yes | SA_FSAA_Resources.ParentResourceID | Parent resource | +| ResourceDeletedUSN | int | | Yes | SA_FSAA_Resources.DeletedUSN | NULL if not deleted | +| ResourcePath | nvarchar | 4000 | Yes | UDF: SA_FSAA_GetPath | Full resource path | +| ResourceType | tinyint | | No | SA_FSAA_Resources.ResourceType | See [ResourceType](../enumeration/overview.md#resourcetype) | +| ResourceTypeDescription | varchar | 6 | Yes | Computed (CASE) | `Share` / `Folder` / `File` | +| AllowRights | smallint | | Yes | SA_FSAA_Rights.AllowRights | Combined bitmask | +| DenyRights | smallint | | Yes | SA_FSAA_Rights.DenyRights | Combined bitmask | +| AllowList | bit | | Yes | Computed (`AllowRights & 32`) | Has list right | +| AllowRead | bit | | Yes | Computed (`AllowRights & 1`) | Has read right | +| AllowWrite | bit | | Yes | Computed (`AllowRights & 2`) | Has write right | +| AllowDelete | bit | | Yes | Computed (`AllowRights & 4`) | Has delete right | +| AllowManage | bit | | Yes | Computed (`AllowRights & 8`) | Has manage right | +| AllowAdmin | bit | | Yes | Computed (`AllowRights & 16`) | Has admin right | +| DenyList | bit | | Yes | Computed (`DenyRights & 32`) | Deny list right | +| DenyRead | bit | | Yes | Computed (`DenyRights & 1`) | Deny read right | +| DenyWrite | bit | | Yes | Computed (`DenyRights & 2`) | Deny write right | +| DenyDelete | bit | | Yes | Computed (`DenyRights & 4`) | Deny delete right | +| DenyManage | bit | | Yes | Computed (`DenyRights & 8`) | Deny manage right | +| DenyAdmin | bit | | Yes | Computed (`DenyRights & 16`) | Deny admin right | +| AllowRightsDescription | varchar | 6 | Yes | Computed (concat letters L/R/W/D/M/A) | For example, `LRW` | +| DenyRightsDescription | varchar | 6 | Yes | Computed (concat letters L/R/W/D/M/A) | For example, `D` | +| RightsSource | varchar | 9 | Yes | Computed (CASE on Direct/Inherited columns) | `Both` / `Inherited` / `Direct` / `None` | +| AllowMask | int | | Yes | SA_FSAA_Rights.AllowMask | Full Windows access mask | +| DenyMask | int | | Yes | SA_FSAA_Rights.DenyMask | Full Windows deny mask | +| AllowMaskDescription | varchar | 32 | Yes | Computed (CASE) | `Full Control` / `Modify` / `Read & Execute` / etc. | +| DenyMaskDescription | varchar | 32 | Yes | Computed (CASE) | Same vocabulary as `AllowMaskDescription` | +| TrusteeID | int | | Yes | SA_FSAA_Rights.TrusteeID | | +| TrusteeSID | varchar | 184 | Yes | SA_FSAA_Trustees.SID | | +| TrusteeType | smallint | | Yes | UDF column (TrusteeType) | See [TrusteeType](../enumeration/overview.md#trusteetype) | +| TrusteeIsHistoricalSID | bit | | Yes | UDF column | True if SID came from SID History | +| TrusteePrincipalID | int | | Yes | UDF column | AD-Inventory principal ID | +| TrusteeTypeDescription | varchar | 18 | Yes | Computed (CASE) | For example, `Domain User` | +| TrusteeDisplayName | nvarchar | 256 | Yes | UDF column | | +| TrusteeDomain | nvarchar | 128 | Yes | UDF column | NT domain | +| TrusteeNTName | nvarchar | 256 | Yes | UDF column | SAM account name | +| TrusteeNTStyleName | nvarchar | 385 | Yes | Computed (`Domain\Name`) | Concatenated NT-style name | + +--- + +### SA_FSAA_ExpandedPermissionsView {#sa_fsaa_expandedpermissionsview} + +**Description:** Resource × *expanded* effective trustee — group memberships are recursively expanded and the view returns one row per `(resource, leaf trustee)` instead of one per `(resource, ACE)`. Uses `CROSS APPLY dbo.SA_FSAA_GetExpandedPermissions(r.HOST, r.ID, 0, DEFAULT)` to do the expansion. + +**Source tables:** `SA_FSAA_Resources`, `SA_FSAA_Hosts`, UDF `SA_FSAA_GetExpandedPermissions`. + +**Filter:** `r.RightsProxyID IS NOT NULL`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAA_Resources.HOST | Host partition | +| HostName | nvarchar | 64 | Yes | SA_FSAA_Hosts.HOST | Host name | +| ResourceID | bigint | | No | SA_FSAA_Resources.ID | Resource | +| ParentResourceID | bigint | | Yes | SA_FSAA_Resources.ParentResourceID | Parent resource | +| ResourceDeletedUSN | int | | Yes | SA_FSAA_Resources.DeletedUSN | | +| ResourcePath | nvarchar | 4000 | Yes | UDF: SA_FSAA_GetPath | Full path | +| ResourceType | tinyint | | No | SA_FSAA_Resources.ResourceType | See [ResourceType](../enumeration/overview.md#resourcetype) | +| ResourceTypeDescription | varchar | 6 | Yes | Computed (CASE) | `Share` / `Folder` / `File` | +| AllowRights | smallint | | No | UDF column | Effective allow bitmask after group expansion | +| DenyRights | smallint | | No | UDF column | Effective deny bitmask | +| AllowList ... AllowAdmin | bit | | Yes | Computed (`AllowRights & N`) | Six boolean columns (bits 32, 1, 2, 4, 8, 16) | +| DenyList ... DenyAdmin | bit | | Yes | Computed (`DenyRights & N`) | Six boolean columns | +| AllowRightsDescription | varchar | 6 | Yes | Computed | Letter form `LRWDMA` | +| DenyRightsDescription | varchar | 6 | Yes | Computed | | +| TrusteeSID | varchar | 184 | Yes | UDF column | Leaf-trustee SID | +| TrusteeType | smallint | | Yes | UDF column | See [TrusteeType](../enumeration/overview.md#trusteetype) | +| TrusteeTypeDescription | varchar | 18 | Yes | Computed (CASE) | | +| TrusteeDisplayName | nvarchar | 256 | Yes | UDF column | | +| TrusteeDomain | nvarchar | 128 | Yes | UDF column | | +| TrusteeNTName | nvarchar | 256 | Yes | UDF column | | +| TrusteeNTStyleName | nvarchar | 385 | Yes | Computed (`Domain\Name`) | | + +--- + +### SA_FSAA_DirectPermissionsView {#sa_fsaa_directpermissionsview} + +**Description:** Same shape as `SA_FSAA_PermissionsView` but filtered to direct (non-inherited) ACEs only. Uses `p.DirectAllowRights` / `p.DirectDenyRights` / `p.DirectAllowMask` / `p.DirectDenyMask` instead of the combined columns; the column names in the output are still `AllowRights`, `DenyRights`, `AllowMask`, `DenyMask`. + +**Source tables:** `SA_FSAA_Resources`, `SA_FSAA_Hosts`, `SA_FSAA_Rights`, `SA_FSAA_Trustees`, UDF `SA_FSAA_GetTrusteeInformationEx`. + +**Filter:** `r.RightsProxyID IS NOT NULL AND ((p.DirectAllowRights <> 0) OR (p.DirectDenyRights <> 0) OR (p.DirectAllowMask <> 0) OR (p.DirectDenyMask <> 0))`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAA_Resources.HOST | | +| HostName | nvarchar | 64 | Yes | SA_FSAA_Hosts.HOST | | +| ResourceID | bigint | | No | SA_FSAA_Resources.ID | | +| ParentResourceID | bigint | | Yes | SA_FSAA_Resources.ParentResourceID | | +| ResourceDeletedUSN | int | | Yes | SA_FSAA_Resources.DeletedUSN | | +| ResourcePath | nvarchar | 4000 | Yes | UDF: SA_FSAA_GetPath / fallback `r.Name` | | +| ResourceType | tinyint | | No | SA_FSAA_Resources.ResourceType | | +| ResourceTypeDescription | varchar | 6 | Yes | Computed (CASE) | | +| AllowRights | smallint | | Yes | SA_FSAA_Rights.DirectAllowRights | | +| DenyRights | smallint | | Yes | SA_FSAA_Rights.DirectDenyRights | | +| AllowList ... AllowAdmin | bit | | Yes | Computed | Six bit columns | +| DenyList ... DenyAdmin | bit | | Yes | Computed | Six bit columns | +| AllowRightsDescription | varchar | 6 | Yes | Computed | `LRWDMA`-style | +| DenyRightsDescription | varchar | 6 | Yes | Computed | | +| AllowMask | int | | Yes | SA_FSAA_Rights.DirectAllowMask | | +| DenyMask | int | | Yes | SA_FSAA_Rights.DirectDenyMask | | +| AllowMaskDescription | varchar | 32 | Yes | Computed (CASE) | | +| DenyMaskDescription | varchar | 32 | Yes | Computed (CASE) | | +| TrusteeID | int | | Yes | SA_FSAA_Rights.TrusteeID | | +| TrusteeSID | varchar | 184 | Yes | SA_FSAA_Trustees.SID | | +| TrusteeType | smallint | | Yes | UDF column | | +| TrusteeIsHistoricalSID | bit | | Yes | UDF column | | +| TrusteePrincipalID | int | | Yes | UDF column | | +| TrusteeTypeDescription | varchar | 18 | Yes | Computed (CASE) | | +| TrusteeDisplayName | nvarchar | 256 | Yes | UDF column | | +| TrusteeDomain | nvarchar | 128 | Yes | UDF column | | +| TrusteeNTName | nvarchar | 256 | Yes | UDF column | | +| TrusteeNTStyleName | nvarchar | 385 | Yes | Computed | | + +--- + +### SA_FSAA_InheritedPermissionsView {#sa_fsaa_inheritedpermissionsview} + +**Description:** Same shape as `SA_FSAA_DirectPermissionsView` but reads from the `Inherited*` rights/mask columns. The output column names (`AllowRights`, `DenyRights`, `AllowMask`, `DenyMask`) are identical to `SA_FSAA_DirectPermissionsView`; only the underlying `SA_FSAA_Rights` source columns change. + +**Source tables:** `SA_FSAA_Resources`, `SA_FSAA_Hosts`, `SA_FSAA_Rights`, `SA_FSAA_Trustees`, UDF `SA_FSAA_GetTrusteeInformationEx`. + +**Filter:** `r.RightsProxyID IS NOT NULL AND ((p.InheritedAllowRights <> 0) OR (p.InheritedDenyRights <> 0) OR (p.InheritedAllowMask <> 0) OR (p.InheritedDenyMask <> 0))`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAA_Resources.HOST | | +| HostName | nvarchar | 64 | Yes | SA_FSAA_Hosts.HOST | | +| ResourceID | bigint | | No | SA_FSAA_Resources.ID | | +| ParentResourceID | bigint | | Yes | SA_FSAA_Resources.ParentResourceID | | +| ResourceDeletedUSN | int | | Yes | SA_FSAA_Resources.DeletedUSN | | +| ResourcePath | nvarchar | 4000 | Yes | UDF: SA_FSAA_GetPath / fallback `r.Name` | | +| ResourceType | tinyint | | No | SA_FSAA_Resources.ResourceType | | +| ResourceTypeDescription | varchar | 6 | Yes | Computed (CASE) | | +| AllowRights | smallint | | Yes | SA_FSAA_Rights.InheritedAllowRights | | +| DenyRights | smallint | | Yes | SA_FSAA_Rights.InheritedDenyRights | | +| AllowList ... AllowAdmin | bit | | Yes | Computed | Six bit columns | +| DenyList ... DenyAdmin | bit | | Yes | Computed | Six bit columns | +| AllowRightsDescription | varchar | 6 | Yes | Computed | `LRWDMA`-style | +| DenyRightsDescription | varchar | 6 | Yes | Computed | | +| AllowMask | int | | Yes | SA_FSAA_Rights.InheritedAllowMask | | +| DenyMask | int | | Yes | SA_FSAA_Rights.InheritedDenyMask | | +| AllowMaskDescription | varchar | 32 | Yes | Computed (CASE) | | +| DenyMaskDescription | varchar | 32 | Yes | Computed (CASE) | | +| TrusteeID | int | | Yes | SA_FSAA_Rights.TrusteeID | | +| TrusteeSID | varchar | 184 | Yes | SA_FSAA_Trustees.SID | | +| TrusteeType | smallint | | Yes | UDF column | | +| TrusteeIsHistoricalSID | bit | | Yes | UDF column | | +| TrusteePrincipalID | int | | Yes | UDF column | | +| TrusteeTypeDescription | varchar | 18 | Yes | Computed (CASE) | | +| TrusteeDisplayName | nvarchar | 256 | Yes | UDF column | | +| TrusteeDomain | nvarchar | 128 | Yes | UDF column | | +| TrusteeNTName | nvarchar | 256 | Yes | UDF column | | +| TrusteeNTStyleName | nvarchar | 385 | Yes | Computed | | + +--- + +### SA_FSAA_SharesTraversalView {#sa_fsaa_sharestraversalview} + +**Description:** For every resource reachable through a gate, returns the gate, the resource, the share-relative resource path, and the SMB / NFS UNC path. + +**Source tables:** `SA_FSAA_Hosts`, `SA_FSAA_Gates`, `SA_FSAA_GatesProxy`, `SA_FSAA_Resources`, `SA_FSAA_Paths`. + +**Filter:** `r.GatesProxyID IS NOT NULL`. + +**Network-path logic:** if `g.GateType = 2` (NFS), builds `host:share//rel-path` where the relative path is `SUBSTRING(y.Path, LEN(g.DisplayName) + 2, 2048)`; otherwise builds `\\host\share\rel-path` by trimming the gate's local path off `y.Path` (`SUBSTRING(y.Path, LEN(g.Path), 2048)`). + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAA_Hosts.ID | | +| HostName | nvarchar | 64 | No | SA_FSAA_Hosts.HOST | | +| GateID | int | | Yes | SA_FSAA_Gates.ID | | +| GateType | int | | Yes | SA_FSAA_Gates.GateType | See [GateType](../enumeration/overview.md#gatetype) | +| GateTypeDescription | varchar | 3 | Yes | Computed (CASE) | `'SMB'` when `GateType = 0`, otherwise `'NFS'` (any non-zero `GateType`) | +| GateDeletedUSN | int | | Yes | SA_FSAA_Gates.DeletedUSN | | +| ShareID | bigint | | Yes | SA_FSAA_Gates.ShareID | | +| ShareName | nvarchar | 256 | Yes | SA_FSAA_Gates.DisplayName | | +| ResourceID | bigint | | Yes | SA_FSAA_Resources.ID | | +| ParentResourceID | bigint | | Yes | SA_FSAA_Resources.ParentResourceID | | +| ResourceType | tinyint | | Yes | SA_FSAA_Resources.ResourceType | | +| ResourceTypeDescription | varchar | 6 | Yes | Computed (CASE) | | +| ResourceDeletedUSN | int | | Yes | SA_FSAA_Resources.DeletedUSN | | +| ResourcePath | nvarchar | 4000 | Yes | SA_FSAA_Paths.Path | Local resource path | +| NetworkPath | nvarchar | 4000 | Yes | Computed (see logic above) | UNC path or NFS-style path | +| NestedLevel | int | | Yes | Computed (`r.NestedLevel - g.NestedLevel`) | Depth from share root | + +--- + +### SA_FSAA_EffectiveAccessView {#sa_fsaa_effectiveaccessview} + +**Description:** Like `SA_FSAA_SharesTraversalView` but additionally resolves each row through `SA_FSAA_GetEffectiveRights` to attribute the effective allow/deny rights to each leaf trustee. Used to answer "who can do what on this resource through this share?" + +**Source tables:** `SA_FSAA_SharesTraversalView`, UDF `SA_FSAA_GetEffectiveRights`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAA_SharesTraversalView.HostID | | +| HostName | nvarchar | 64 | Yes | SA_FSAA_SharesTraversalView.HostName | | +| GateID | int | | Yes | SA_FSAA_SharesTraversalView.GateID | | +| ShareID | bigint | | Yes | SA_FSAA_SharesTraversalView.ShareID | | +| ResourceID | bigint | | Yes | SA_FSAA_SharesTraversalView.ResourceID | | +| ShareName | nvarchar | 256 | Yes | SA_FSAA_SharesTraversalView.ShareName | | +| NestedLevel | int | | Yes | SA_FSAA_SharesTraversalView.NestedLevel | | +| ResourcePath | nvarchar | 4000 | Yes | SA_FSAA_SharesTraversalView.ResourcePath | | +| NetworkPath | nvarchar | 4000 | Yes | SA_FSAA_SharesTraversalView.NetworkPath | | +| ResourceType | tinyint | | Yes | SA_FSAA_SharesTraversalView.ResourceType | | +| ResourceTypeDescription | varchar | 6 | Yes | SA_FSAA_SharesTraversalView.ResourceTypeDescription | | +| ResourceDeletedUSN | int | | Yes | SA_FSAA_SharesTraversalView.ResourceDeletedUSN | | +| GateDeletedUSN | int | | Yes | SA_FSAA_SharesTraversalView.GateDeletedUSN | | +| AllowRights | smallint | | No | UDF column | Effective allow bitmask | +| DenyRights | smallint | | No | UDF column | Effective deny bitmask | +| DirectTrustee | bit | | Yes | UDF column | True if rights come from a direct ACE rather than group expansion | +| AllowList ... AllowAdmin | bit | | Yes | Computed | Six bit columns | +| DenyList ... DenyAdmin | bit | | Yes | Computed | Six bit columns | +| AllowRightsDescription | varchar | 6 | Yes | Computed | | +| DenyRightsDescription | varchar | 6 | Yes | Computed | | +| TrusteeSID | varchar | 184 | Yes | UDF column | | +| TrusteeType | smallint | | Yes | UDF column | | +| TrusteeTypeDescription | varchar | 18 | Yes | Computed (CASE) | | +| TrusteeDisplayName | nvarchar | 256 | Yes | UDF column | | +| TrusteeDomain | nvarchar | 128 | Yes | UDF column | | +| TrusteeNTName | nvarchar | 256 | Yes | UDF column | | +| TrusteeNTStyleName | nvarchar | 385 | Yes | Computed | | + +--- + +### SA_FSAA_LocalGroupMembersView {#sa_fsaa_localgroupmembersview} + +**Description:** Flat view of local-group memberships derived from `SA_FSAA_TrusteeEquivalence`. One row per `(group, member)` pair on a host, with both group and member identity columns expanded via `SA_FSAA_GetTrusteeInformation`. + +**Source tables:** `SA_FSAA_TrusteeEquivalence`, `SA_FSAA_Hosts`, UDF `SA_FSAA_GetTrusteeInformation` (called twice — once for the group, once for the member). + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAA_TrusteeEquivalence.HOST | | +| HostName | nvarchar | 64 | No | SA_FSAA_Hosts.HOST | | +| GroupTrusteeID | int | | No | SA_FSAA_TrusteeEquivalence.EquivalentTrusteeID | | +| GroupSID | varchar | 184 | Yes | UDF column (group) | | +| GroupDisplayName | nvarchar | 256 | Yes | UDF column (group) | | +| GroupDomain | nvarchar | 128 | Yes | UDF column (group) | | +| GroupNTName | nvarchar | 256 | Yes | UDF column (group) | | +| GroupNTStyleName | nvarchar | 385 | Yes | Computed (`Domain\Name`) | | +| MemberTrusteeID | int | | No | SA_FSAA_TrusteeEquivalence.TrusteeID | | +| MemberSID | varchar | 184 | Yes | UDF column (member) | | +| MemberDomain | nvarchar | 128 | Yes | UDF column (member) | | +| MemberNTName | nvarchar | 256 | Yes | UDF column (member) | | +| MemberDisplayName | nvarchar | 256 | Yes | UDF column (member) | | +| MemberNTStyleName | nvarchar | 385 | Yes | Computed (`Domain\Name`) | | +| MemberType | smallint | | Yes | UDF column (member) | See [TrusteeType](../enumeration/overview.md#trusteetype) | +| MemberTypeDescription | varchar | 18 | Yes | Computed (CASE) | | +| MemberPrincipalID | int | | Yes | UDF column (member) | AD-Inventory principal ID | + +--- + +### SA_FSAA_ExceptionsView {#sa_fsaa_exceptionsview} + +**Description:** `SA_FSAA_Exceptions` joined with the type catalog and with both `TrusteeID` and `SourceTrusteeID` resolved to display names. + +**Source tables:** `SA_FSAA_Exceptions`, `SA_FSAA_ExceptionTypes`, `SA_FSAA_Trustees` (twice — once for each trustee column), `SA_FSAA_Hosts`, `SA_FSAA_Resources`, `SA_FSAA_Gates`, UDF `SA_FSAA_GetTrusteeInformationEx`. + +**Path logic:** if both `ResourceID` and `GateID` are present, returns a UNC-style path `\\host\share`; if only `ResourceID`, returns the bare resource path from `SA_FSAA_GetPath`; otherwise NULL. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAA_Exceptions.HOST | | +| HostName | nvarchar | 64 | No | SA_FSAA_Hosts.HOST | | +| ExceptionType | int | | No | SA_FSAA_Exceptions.ExceptionType | | +| ParentType | int | | Yes | SA_FSAA_ExceptionTypes.ParentType | Hierarchical parent type | +| ExceptionName | varchar | 128 | No | SA_FSAA_ExceptionTypes.Name | | +| GateID | int | | Yes | SA_FSAA_Exceptions.GateID | | +| ResourceID | bigint | | Yes | SA_FSAA_Exceptions.ResourceID | | +| Path | nvarchar | 4000 | Yes | Computed (see logic above) | UNC path / resource path / NULL | +| TrusteeID | int | | Yes | SA_FSAA_Exceptions.TrusteeID | | +| TrusteeSID | varchar | 184 | Yes | SA_FSAA_Trustees.SID | | +| TrusteeType | smallint | | Yes | SA_FSAA_Trustees.TrusteeType | | +| TrusteeDisplayName | nvarchar | 256 | Yes | UDF column | | +| TrusteeNTStyleName | nvarchar | 385 | Yes | Computed | | +| TrusteePrincipalID | int | | Yes | UDF column | | +| SourceTrusteeID | int | | Yes | SA_FSAA_Exceptions.SourceTrusteeID | | +| SourceTrusteeSID | varchar | 184 | Yes | SA_FSAA_Trustees.SID (second join) | | +| SourceTrusteeType | smallint | | Yes | SA_FSAA_Trustees.TrusteeType (second join) | | +| SourceTrusteeDisplayName | nvarchar | 256 | Yes | UDF column | | +| SourceTrusteeNTStyleName | nvarchar | 385 | Yes | Computed | | +| SourceTrusteePrincipalID | int | | Yes | UDF column | | + +--- + +## Activity Views (SA_FSAC_*) {#activity-views-sa_fsac_} + +### SA_FSAC_DailyActivityView {#sa_fsac_dailyactivityview} + +**Description:** Per-`(host, date, folder, trustee, operation)` activity row, with the trustee identity expanded and the operation code translated to a human-readable label. The most common entry point for activity reporting; one row per recorded daily-activity bucket. + +**Source tables:** `SA_FSAC_DailyActivity`, `SA_FSAA_Hosts`, `SA_FSAA_Trustees`, UDF `SA_FSAA_GetTrusteeInformationEx`, UDF `SA_FSAA_GetPath`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAC_DailyActivity.HOST | | +| HostName | nvarchar | 64 | Yes | SA_FSAA_Hosts.HOST | | +| ActivityDate | date | | No | SA_FSAC_DailyActivity.ActivityDate | | +| FolderID | bigint | | No | SA_FSAC_DailyActivity.FolderID | | +| Path | nvarchar | 4000 | Yes | UDF: SA_FSAA_GetPath | Full folder path | +| UserID | int | | No | SA_FSAC_DailyActivity.TrusteeID | | +| UserSID | varchar | 184 | Yes | SA_FSAA_Trustees.SID | | +| UserType | smallint | | Yes | UDF column | See [TrusteeType](../enumeration/overview.md#trusteetype) | +| UserPrincipalID | int | | Yes | UDF column | AD-Inventory principal ID | +| UserTypeDescription | varchar | 18 | Yes | Computed (CASE) | For example, `Domain User` | +| UserDisplayName | nvarchar | 256 | Yes | UDF column | | +| UserNTName | nvarchar | 256 | Yes | UDF column | | +| UserNTDomain | nvarchar | 128 | Yes | UDF column | | +| UserNTStyleName | nvarchar | 385 | Yes | Computed (`Domain\Name`) | | +| Operation | tinyint | | No | SA_FSAC_DailyActivity.Operation | | +| OperationDescription | varchar | 18 | Yes | Computed (CASE) | `Read` / `Add` / `Update` / `Delete` / `Permission Change` / `Rename` | +| Allow | bit | | No | SA_FSAC_DailyActivity.Allow | | +| AllowDescription | varchar | 7 | Yes | Computed (CASE) | `Allowed` / `Denied` | +| OperationCount | int | | No | SA_FSAC_DailyActivity.Count | | + +--- + +### SA_FSAC_DailyUserActivityView {#sa_fsac_dailyuseractivityview} + +**Description:** Pivoted version of `SA_FSAC_DailyActivityView` — one row per `(host, date, folder, user)`, with separate columns for each operation type's count. Filtered to `Allow = 1` (allowed operations only). + +**Source tables:** `SA_FSAC_DailyActivity` (pivoted on Operation), `SA_FSAA_Hosts`, `SA_FSAA_Trustees`, UDF `SA_FSAA_GetTrusteeInformationEx`, UDF `SA_FSAA_GetPath`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAC_DailyActivity.HOST | | +| HostName | nvarchar | 64 | Yes | SA_FSAA_Hosts.HOST | | +| ActivityDate | date | | No | SA_FSAC_DailyActivity.ActivityDate | | +| FolderID | bigint | | No | SA_FSAC_DailyActivity.FolderID | | +| Path | nvarchar | 4000 | Yes | UDF: SA_FSAA_GetPath | | +| UserID | int | | No | SA_FSAC_DailyActivity.TrusteeID | | +| UserSID | varchar | 184 | Yes | SA_FSAA_Trustees.SID | | +| UserType | smallint | | Yes | UDF column | See [TrusteeType](../enumeration/overview.md#trusteetype) | +| UserPrincipalID | int | | Yes | UDF column | | +| UserTypeDescription | varchar | 18 | Yes | Computed (CASE) | | +| UserDisplayName | nvarchar | 256 | Yes | UDF column | | +| UserNTName | nvarchar | 256 | Yes | UDF column | | +| UserNTDomain | nvarchar | 128 | Yes | UDF column | | +| UserNTStyleName | nvarchar | 385 | Yes | Computed | | +| Reads | int | | No | Pivot (Operation = 0) | Read-operation count | +| Adds | int | | No | Pivot (Operation = 1) | Add-operation count | +| Updates | int | | No | Pivot (Operation = 2) | Update-operation count | +| Deletes | int | | No | Pivot (Operation = 3) | Delete-operation count | +| PermissionChanges | int | | No | Pivot (Operation = 4) | Permission-change count | +| Renames | int | | No | Pivot (Operation = 5) | Rename count | + +--- + +### SA_FSAC_DailyResourceActivityView {#sa_fsac_dailyresourceactivityview} + +**Description:** Same shape as `SA_FSAC_DailyUserActivityView` but rolled up across users — one row per `(host, date, folder)` with operation counts and a count of distinct active users. + +**Source tables:** `SA_FSAC_DailyActivity` (pivoted on Operation, then aggregated), `SA_FSAA_Hosts`, UDF `SA_FSAA_GetPath`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAC_DailyActivity.HOST | | +| HostName | nvarchar | 64 | Yes | SA_FSAA_Hosts.HOST | | +| ActivityDate | date | | No | SA_FSAC_DailyActivity.ActivityDate | | +| FolderID | bigint | | No | SA_FSAC_DailyActivity.FolderID | | +| Path | nvarchar | 4000 | Yes | UDF: SA_FSAA_GetPath | | +| Reads | int | | Yes | SUM (Operation = 0) | | +| Adds | int | | Yes | SUM (Operation = 1) | | +| Updates | int | | Yes | SUM (Operation = 2) | | +| Deletes | int | | Yes | SUM (Operation = 3) | | +| PermissionChanges | int | | Yes | SUM (Operation = 4) | | +| Renames | int | | Yes | SUM (Operation = 5) | | +| ActiveUsers | int | | Yes | COUNT(DISTINCT TrusteeID) | Distinct users with activity that day | + +--- + +### SA_FSAC_ActivityEventsView {#sa_fsac_activityeventsview} + +**Description:** Detailed event view — one row per `SA_FSAC_ActivityEvents` row, joined to resource metadata, process name, trustee identity, and (for renames) the rename target. + +**Source tables:** `SA_FSAC_ActivityEvents`, `SA_FSAA_Hosts`, `SA_FSAC_ProcessNames`, `SA_FSAA_Resources`, `SA_FSAA_Trustees`, `SA_FSAC_RenameTargets`, UDF `SA_FSAA_GetTrusteeInformationEx`, UDF `SA_FSAA_GetPath`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAC_ActivityEvents.HOST | | +| HostName | nvarchar | 64 | No | SA_FSAA_Hosts.HOST | | +| ID | bigint | | No | SA_FSAC_ActivityEvents.ID | | +| AccessTime | datetime2 | | No | SA_FSAC_ActivityEvents.AccessTime | | +| ResourceID | bigint | | No | SA_FSAC_ActivityEvents.PathID | | +| ResourceType | tinyint | | Yes | SA_FSAA_Resources.ResourceType | See [ResourceType](../enumeration/overview.md#resourcetype) | +| ResourceTypeDescription | varchar | 6 | Yes | Computed (CASE) | `Folder` / `File` | +| ParentResourceID | bigint | | Yes | SA_FSAA_Resources.ParentResourceID | | +| ResourceName | nvarchar | 2000 | Yes | SA_FSAA_Resources.Name | | +| Path | nvarchar | 4000 | Yes | UDF: SA_FSAA_GetPath | | +| ProcessID | int | | Yes | SA_FSAC_ActivityEvents.ProcessID | | +| ProcessName | nvarchar | 255 | Yes | SA_FSAC_ProcessNames.Name | | +| Operation | tinyint | | No | SA_FSAC_ActivityEvents.Operation | | +| OperationDescription | varchar | 18 | Yes | Computed (CASE) | | +| Allow | bit | | No | SA_FSAC_ActivityEvents.Allow | | +| AllowDescription | varchar | 7 | Yes | Computed (CASE) | `Allowed` / `Denied` | +| TargetResourceID | bigint | | Yes | SA_FSAC_RenameTargets.TargetPathID | (Renames only) | +| TargetResourceName | nvarchar | 2000 | Yes | SA_FSAA_Resources.Name (target) | (Renames only) | +| TargetParentResourceID | bigint | | Yes | SA_FSAA_Resources.ParentResourceID (target) | (Renames only) | +| TargetPath | nvarchar | 4000 | Yes | UDF: SA_FSAA_GetPath (target) | (Renames only) | +| UserID | int | | No | SA_FSAC_ActivityEvents.TrusteeID | | +| UserSID | varchar | 184 | Yes | SA_FSAA_Trustees.SID | | +| UserDisplayName | nvarchar | 256 | Yes | UDF column | | +| UserNTDomain | nvarchar | 128 | Yes | UDF column | | +| UserNTName | nvarchar | 256 | Yes | UDF column | | +| UserType | smallint | | Yes | UDF column | See [TrusteeType](../enumeration/overview.md#trusteetype) | +| UserPrincipalID | int | | Yes | UDF column | | +| UserTypeDescription | varchar | 18 | Yes | Computed (CASE) | | +| UserNTStyleName | nvarchar | 385 | Yes | Computed | | + +--- + +### SA_FSAC_ExceptionsView {#sa_fsac_exceptionsview} + +**Description:** `SA_FSAC_Exceptions` joined to the type catalog and to the trustee / gate / resource references, with day-of-week and time-of-day translations. + +**Source tables:** `SA_FSAC_Exceptions`, `SA_FSAC_ExceptionTypes`, `SA_FSAA_Hosts`, `SA_FSAA_Gates`, `SA_FSAA_Resources`, UDF `SA_FSAA_GetPath`, UDF `SA_FSAA_GetTrusteeInformation`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAC_Exceptions.HOST | | +| HostName | nvarchar | 64 | No | SA_FSAA_Hosts.HOST | | +| ID | int | | No | SA_FSAC_Exceptions.ID | | +| ExceptionType | int | | No | SA_FSAC_Exceptions.ExceptionType | | +| ParentType | int | | Yes | SA_FSAC_ExceptionTypes.ParentType | | +| ExceptionName | varchar | 128 | No | SA_FSAC_ExceptionTypes.Name | | +| ActivityDate | date | | No | SA_FSAC_Exceptions.ActivityDate | | +| ActivityHour | tinyint | | Yes | SA_FSAC_Exceptions.ActivityHour | | +| DayOfWeek | nvarchar | 30 | Yes | Computed (`DATENAME(dw, ActivityDate)`) | For example, `Monday` | +| TimeOfDay | varchar | 8 | Yes | Computed (CASE on ActivityHour) | For example, `3 PM`, `12 AM` | +| GateID | int | | No | SA_FSAC_Exceptions.GateID | | +| ResourceID | bigint | | Yes | SA_FSAC_Exceptions.ResourceID | | +| Path | nvarchar | 4000 | Yes | Computed (`\\host\share`) | | +| TrusteeID | int | | Yes | SA_FSAC_Exceptions.TrusteeID | | +| TrusteeDisplayName | nvarchar | 256 | Yes | UDF: SA_FSAA_GetTrusteeInformation | | +| NTDomain | nvarchar | 128 | Yes | UDF: SA_FSAA_GetTrusteeInformation | | +| NTName | nvarchar | 256 | Yes | UDF: SA_FSAA_GetTrusteeInformation | | +| TrusteeNTStyleName | nvarchar | 385 | Yes | Computed (`Domain\Name`) | | +| TrusteeType | smallint | | Yes | UDF: SA_FSAA_GetTrusteeInformation | See [TrusteeType](../enumeration/overview.md#trusteetype) | +| TrusteeTypeDescription | varchar | 18 | Yes | Computed (CASE) | | +| Value | int | | Yes | SA_FSAC_Exceptions.Value | | +| Average | float | | Yes | SA_FSAC_Exceptions.Average | | +| StandardDeviations | float | | Yes | SA_FSAC_Exceptions.StandardDeviations | | + +--- + +### SA_FSAC_UserExceptionsView {#sa_fsac_userexceptionsview} + +**Description:** Same shape as `SA_FSAC_ExceptionsView` but partitioned by user `SID` rather than `(HOST, ID)`. Used for cross-host user-behaviour anomalies. Trustee identity is resolved by joining `SA_ADInventory_UsersView` on the SID. + +**Source tables:** `SA_FSAC_UserExceptions`, `SA_FSAC_UserExceptionTypes`, `SA_ADInventory_UsersView`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| ID | int | | No | SA_FSAC_UserExceptions.ID | | +| ExceptionType | int | | No | SA_FSAC_UserExceptions.ExceptionType | | +| ParentType | int | | Yes | SA_FSAC_UserExceptionTypes.ParentType | | +| ExceptionName | varchar | 128 | No | SA_FSAC_UserExceptionTypes.Name | | +| ActivityDate | date | | No | SA_FSAC_UserExceptions.ActivityDate | | +| ActivityStartTime | tinyint | | Yes | SA_FSAC_UserExceptions.ActivityStartTime | Start hour 0–23 | +| ActivityPeriod | tinyint | | Yes | SA_FSAC_UserExceptions.ActivityPeriod | Window length in hours | +| DayOfWeek | nvarchar | 30 | Yes | Computed (`DATENAME(dw, ActivityDate)`) | For example, `Monday` | +| TimeOfDay | varchar | 8 | Yes | Computed (CASE on ActivityStartTime) | For example, `3 PM`, `12 AM` | +| TrusteeDisplayName | nvarchar | 256 | Yes | SA_ADInventory_UsersView.DisplayName | | +| NTDomain | nvarchar | 128 | Yes | SA_ADInventory_UsersView.DomainName | | +| TrusteeNTStyleName | nvarchar | 385 | Yes | SA_ADInventory_UsersView.NTAccount | `Domain\Name` | +| TrusteeSID | varchar | 184 | No | SA_FSAC_UserExceptions.SID | | +| TrusteePrincipalID | int | | Yes | SA_ADInventory_UsersView.PrincipalId | | +| Value | int | | Yes | SA_FSAC_UserExceptions.Value | | +| Average | float | | Yes | SA_FSAC_UserExceptions.Average | | +| StandardDeviations | float | | Yes | SA_FSAC_UserExceptions.StandardDeviations | | + +--- + +### SA_FSAC_PermissionChangesView {#sa_fsac_permissionchangesview} + +**Description:** Surface view over `SA_FSAC_PermissionChanges` that resolves the affected trustee and decodes the ACL / ACE / inheritance / access-rights bitmasks into descriptive strings. + +:::note +This view does not join `SA_FSAC_ActivityEvents` or `SA_FSAA_Resources` — the access time and resource path are not exposed; reports needing them must join `SA_FSAC_ActivityEvents` themselves. +::: + +**Source tables:** `SA_FSAC_PermissionChanges`, `SA_FSAA_Hosts`, UDF `SA_FSAA_GetTrusteeInformation`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSAC_PermissionChanges.HOST | | +| HostName | nvarchar | 64 | No | SA_FSAA_Hosts.HOST | | +| ActivityID | bigint | | No | SA_FSAC_PermissionChanges.ActivityID | | +| ChangeID | smallint | | No | SA_FSAC_PermissionChanges.ChangeID | | +| AclType | tinyint | | No | SA_FSAC_PermissionChanges.AclType | | +| AclTypeDescription | varchar | 4 | Yes | Computed (CASE) | `DACL` / `SACL` | +| TrusteeID | int | | No | SA_FSAC_PermissionChanges.TrusteeID | | +| TrusteeSID | varchar | 184 | Yes | UDF: SA_FSAA_GetTrusteeInformation | | +| TrusteeType | smallint | | Yes | UDF: SA_FSAA_GetTrusteeInformation | See [TrusteeType](../enumeration/overview.md#trusteetype) | +| TrusteeTypeDescription | varchar | 18 | Yes | Computed (CASE) | | +| TrusteePrincipalID | int | | Yes | UDF: SA_FSAA_GetTrusteeInformation | | +| TrusteeDisplayName | nvarchar | 256 | Yes | UDF: SA_FSAA_GetTrusteeInformation | | +| TrusteeDomainName | nvarchar | 128 | Yes | UDF: SA_FSAA_GetTrusteeInformation | | +| TrusteeNTName | nvarchar | 256 | Yes | UDF: SA_FSAA_GetTrusteeInformation | | +| TrusteeNTStyleName | nvarchar | 385 | Yes | Computed (`Domain\Name`) | | +| ChangeType | tinyint | | No | SA_FSAC_PermissionChanges.ChangeType | | +| ChangeTypeDescription | varchar | 6 | Yes | Computed (CASE) | `Add` / `Remove` / `Update` | +| AceType | tinyint | | No | SA_FSAC_PermissionChanges.AceType | | +| AceTypeDescription | varchar | 16 | Yes | Computed (CASE) | `Allowed`, `Denied`, `Object Allowed`, `Object Denied`, `System Audit`, `System Alarm`, `Object Audit`, `Object Alarm` | +| InheritanceFlags | tinyint | | No | SA_FSAC_PermissionChanges.InheritanceFlags | | +| InheritanceFlagsDescription | varchar | 64 | Yes | Computed (bitmask decode) | Comma-joined: `Inheritance Blocked` / `Inheritance Allowed` / `Child Objects Inherit` | +| AceFlags | tinyint | | No | SA_FSAC_PermissionChanges.AceFlags | | +| AceFlagsDescription | varchar | 256 | Yes | Computed (bitmask decode) | Comma-joined: `Container Inherit`, `Object Inherit`, `No Propogate`, `Inheritance Only`, `Ace Is Inherited`, `Successful Access Audit`, `Failed Access Audit` | +| AccessRights | bigint | | No | SA_FSAC_PermissionChanges.AccessRights | | +| AccessRightsDescription | varchar | 32 | Yes | Computed (CASE) | Windows-style label such as `Full Control`, `Modify`, `Read`, `Write`, `Special` | +| NewAccessRights | bigint | | Yes | SA_FSAC_PermissionChanges.NewAccessRights | | +| NewAccessRightsDescription | varchar | 32 | Yes | Computed (CASE) | Same vocabulary as `AccessRightsDescription` | + +--- + +## Sensitive Data Views (SA_FSDLP_*) {#sensitive-data-views-sa_fsdlp_} + +### SA_FSDLP_MatchesView {#sa_fsdlp_matchesview} + +**Description:** `SA_FSDLP_Matches` enriched with file path, criterion name and GUID, a human-readable `DataSource` description, and an `IsExcluded` flag computed from the SDD exclusion-filter table. + +**Source tables:** `SA_FSDLP_Matches`, `SA_FSAA_Hosts`, `SA_FSDLP_Criteria`, `SA_FSAA_Resources`, `SA_FSAA_SharesTraversalView`, `SA_SDDExclusionFilters`, UDF `SA_FSAA_GetPath`. + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSDLP_Matches.HOST | | +| HostName | nvarchar | 64 | Yes | SA_FSAA_Hosts.HOST | | +| CriteriaId | int | | No | SA_FSDLP_Matches.CriteriaId | | +| CriteriaName | nvarchar | 256 | Yes | SA_FSDLP_Criteria.Name | | +| CriteriaGUID | uniqueidentifier | | Yes | SA_FSDLP_Criteria.pattern_guid | | +| ResourceID | bigint | | No | SA_FSDLP_Matches.FileId | | +| ParentResourceID | bigint | | Yes | SA_FSAA_Resources.ParentResourceID | | +| FileName | nvarchar | 2000 | Yes | SA_FSAA_Resources.Name | | +| FilePath | nvarchar | 4000 | Yes | UDF: SA_FSAA_GetPath | | +| MatchCount | int | | Yes | SA_FSDLP_Matches.MatchCount | | +| DataSource | varchar | 30 | Yes | Computed (CASE) | `Content` / `Metadata` / `Filename` / combinations | +| IsExcluded | bit | | No | Computed (EXISTS against `SA_SDDExclusionFilters`) | True if the file is covered by an exclusion filter | + +--- + +### SA_FSDLP_MatchHitsView {#sa_fsdlp_matchhitsview} + +**Description:** `SA_FSDLP_MatchHits` joined to `SA_FSDLP_MatchesView` so each hit carries the parent file/criterion identity. Used by the Sensitive Data report's drill-down view. + +**Source tables:** `SA_FSDLP_MatchHits` (aliased `H`), `SA_FSDLP_MatchesView` (aliased `M`). + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| HostID | int | | No | SA_FSDLP_MatchesView.HostID | | +| HostName | nvarchar | 64 | Yes | SA_FSDLP_MatchesView.HostName | | +| CriteriaID | int | | No | SA_FSDLP_MatchesView.CriteriaId | | +| CriteriaName | nvarchar | 256 | Yes | SA_FSDLP_MatchesView.CriteriaName | | +| CriteriaGUID | uniqueidentifier | | Yes | SA_FSDLP_MatchesView.CriteriaGUID | | +| ResourceID | bigint | | No | SA_FSDLP_MatchesView.ResourceID | | +| ParentResourceID | bigint | | Yes | SA_FSDLP_MatchesView.ParentResourceID | | +| FileName | nvarchar | 2000 | Yes | SA_FSDLP_MatchesView.FileName | | +| FilePath | nvarchar | 4000 | Yes | SA_FSDLP_MatchesView.FilePath | | +| MatchCount | int | | Yes | SA_FSDLP_MatchesView.MatchCount | | +| SubFileName | nvarchar | 1024 | Yes | SA_FSDLP_MatchHits.SubFileName | | +| MatchPrefix | nvarchar | 1024 | Yes | SA_FSDLP_MatchHits.MatchPrefix | | +| MatchData | nvarchar | 1024 | Yes | SA_FSDLP_MatchHits.MatchData | | +| MatchSuffix | nvarchar | 1024 | Yes | SA_FSDLP_MatchHits.MatchSuffix | | +| Confidence | int | | No | SA_FSDLP_MatchHits.Confidence | | +| DataSource | varchar | 30 | Yes | Computed (CASE on `SA_FSDLP_MatchHits.DataSource`) | Same vocabulary as `SA_FSDLP_MatchesView.DataSource` | diff --git a/docs/accessanalyzer/11.6/admin/schema/overview.md b/docs/accessanalyzer/11.6/admin/schema/overview.md index 398c764625..038bf4dbd2 100644 --- a/docs/accessanalyzer/11.6/admin/schema/overview.md +++ b/docs/accessanalyzer/11.6/admin/schema/overview.md @@ -14,3 +14,14 @@ The SQL Data Collector discovers, audits, and reports on SQL Server instances, d - **[Index Reference](sqldc/indexreference/overview.md)** — Documentation of database indexes - **[Functions & Stored Procedures](sqldc/functions/overview.md)** — SQL scalar functions and stored procedures +## [File System Access Data Collector Schema](fsaadc/overview.md) + +The File System Access Data Collector (FSAA) audits Windows and NFS file systems for permissions, ownership, content, activity, and sensitive-data classification across Windows servers, NetApp / EMC / Dell filers, and Linux/Unix hosts. The schema documentation covers: + +- **[Entity Relationship Diagrams](fsaadc/erd/overview.md)** — Visual ERDs showing table relationships across all four collector modules +- **[Core Data Collection Tables](fsaadc/coretables/overview.md)** — 40 normalized tables populated directly by data collectors (FSAA, FSAC, FSDLP, and DFS modules) +- **[Views](fsaadc/views/overview.md)** — 19 SQL views that join and denormalize data for reporting and the FSAA web UI +- **[Enumeration & Lookup Values](fsaadc/enumeration/overview.md)** — Reference for TrusteeType, ResourceType, GateType, and the rights bitmask +- **[Functions & Stored Procedures](fsaadc/functions/overview.md)** — UDFs and stored procedures for path resolution, membership expansion, and effective-access computation +- **[Index Reference](fsaadc/indexreference/overview.md)** — Complete listing of database indexes +- **[Foreign Key Reference](fsaadc/fkreference/overview.md)** — Complete listing of foreign key constraints and cascade behaviors From be9d036e912d81ea24389a0273927cafeef82c36 Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Wed, 6 May 2026 20:48:32 +0000 Subject: [PATCH 2/3] fix(vale): auto-fix style issues (Vale + Dale) --- .../11.6/admin/schema/fsaadc/coretables/overview.md | 2 +- .../11.6/admin/schema/fsaadc/enumeration/overview.md | 6 +++--- .../accessanalyzer/11.6/admin/schema/fsaadc/erd/overview.md | 4 ++-- .../11.6/admin/schema/fsaadc/fkreference/overview.md | 2 +- .../11.6/admin/schema/fsaadc/functions/overview.md | 6 +++--- .../11.6/admin/schema/fsaadc/views/overview.md | 6 +++--- 6 files changed, 13 insertions(+), 13 deletions(-) diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/coretables/overview.md b/docs/accessanalyzer/11.6/admin/schema/fsaadc/coretables/overview.md index c87408e15f..32228d8268 100644 --- a/docs/accessanalyzer/11.6/admin/schema/fsaadc/coretables/overview.md +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/coretables/overview.md @@ -525,7 +525,7 @@ The **Rights bitmask** (`AllowRights` / `DenyRights`) uses the simplified six-bi | RunTime | datetime2 | | Yes | | | | When the scan ran | | FSAAConfigXml | xml | | Yes | | | | Snapshot of the FSAA XML configuration | -This table is intentionally append-only with no primary key, foreign keys, or indexes. Every scan run inserts a new row; rows are never updated and are not referenced by other tables. Querying is by `ScanHost` / `RunTime` and is expected to be infrequent (forensic / support use). +This table is intentionally append-only with no primary key, foreign keys, or indexes. Every scan run inserts a new row; rows are never updated and aren't referenced by other tables. Querying is by `ScanHost` / `RunTime` and is expected to be infrequent (forensic / support use). --- diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/enumeration/overview.md b/docs/accessanalyzer/11.6/admin/schema/fsaadc/enumeration/overview.md index b3f3319482..71aa35e3bf 100644 --- a/docs/accessanalyzer/11.6/admin/schema/fsaadc/enumeration/overview.md +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/enumeration/overview.md @@ -1,6 +1,6 @@ # Enumeration & Lookup Values Reference -This section documents the possible values stored in coded columns used throughout the FSAA DC schema. These values appear in core data tables and are decoded into human-readable labels by views. +This section documents the possible values stored in coded columns used throughout the FSAA DC schema. These values appear in core data tables, and views decode them into human-readable labels. --- @@ -10,7 +10,7 @@ Referenced by `SA_FSAA_Trustees.TrusteeType` and `SA_FSAA_LocalTrustees.TrusteeT | Value | Name | Description | |---|---|---| -| 0 | Unknown | Type could not be determined | +| 0 | Unknown | Type couldn't be determined | | 1 | SecurityPrincipal | Built-in / well-known security principal (for example, `Everyone`) | | 2 | LocalUser | Local user account | | 3 | LocalGroup | Local group account | @@ -94,5 +94,5 @@ The corresponding Windows mask values are stored separately in the `*Mask` colum | 1179648 | Read Permissions | :::note -Many additional special-permission decimal values are decoded by the `CASE` expression in `SA_FSAA_PermissionsView` / `SA_FSAA_DirectPermissionsView` / `SA_FSAA_InheritedPermissionsView`. +The `CASE` expression in `SA_FSAA_PermissionsView` / `SA_FSAA_DirectPermissionsView` / `SA_FSAA_InheritedPermissionsView` decodes many additional special-permission decimal values. ::: diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/erd/overview.md b/docs/accessanalyzer/11.6/admin/schema/fsaadc/erd/overview.md index 42c771436c..37fa8ca0bc 100644 --- a/docs/accessanalyzer/11.6/admin/schema/fsaadc/erd/overview.md +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/erd/overview.md @@ -1,6 +1,6 @@ # Table Relationship Diagrams (ERD) -The schema is broken into subsystem-focused sub-diagrams below. Relationship lines use standard crow's foot notation: a single vertical bar on the parent side and a crow's foot (fork) on the child side means "exactly one parent, zero or more children"; a single bar on each side with an open circle means one-to-zero-or-one (sidecar / extension table). +The following subsystem-focused sub-diagrams divide the schema. Relationship lines use standard crow's foot notation: a single vertical bar on the parent side and a crow's foot (fork) on the child side means "exactly one parent, zero or more children"; a single bar on each side with an open circle means one-to-zero-or-one (sidecar / extension table). :::note Every core table includes a `HOST INT` column that is a foreign key to `SA_FSAA_Hosts.ID` with `ON DELETE CASCADE`. To keep the sub-diagrams readable, that fan-out is shown only in the **Top-level partitioning** diagram; in the other diagrams `HOST` is implicit on every relationship. @@ -12,7 +12,7 @@ Tables not shown in any diagram (no foreign keys): `SA_FSAA_SchemaVer` (single-r ## Top-level Partitioning -`SA_FSAA_Hosts` is the root of the schema. Every other table includes a `HOST` column whose foreign key cascades on delete, so removing a host atomically purges its entire data set. The diagrams below are **representative, not exhaustive** — they show the parent tables for each subsystem; the per-subsystem diagrams below cover the remaining HOST-partitioned tables (for example, `SA_FSAA_Rights`, `SA_FSAA_LocalTrustees`, `SA_FSAA_GatesProxy`, `SA_FSAA_Policies`, the four `SA_FSAA_File*` aggregations, and every `SA_FSAC_*` / `SA_FSDLP_*` / `SA_FSDFS_*` table). +`SA_FSAA_Hosts` is the root of the schema. Every other table includes a `HOST` column whose foreign key cascades on delete, so removing a host atomically purges its entire data set. The following diagrams are **representative, not exhaustive** — they show the parent tables for each subsystem; the per-subsystem diagrams later in this section cover the remaining HOST-partitioned tables (for example, `SA_FSAA_Rights`, `SA_FSAA_LocalTrustees`, `SA_FSAA_GatesProxy`, `SA_FSAA_Policies`, the four `SA_FSAA_File*` aggregations, and every `SA_FSAC_*` / `SA_FSDLP_*` / `SA_FSDFS_*` table). **Core subsystem roots:** diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/fkreference/overview.md b/docs/accessanalyzer/11.6/admin/schema/fsaadc/fkreference/overview.md index 68c7aa6db2..6f505e5b71 100644 --- a/docs/accessanalyzer/11.6/admin/schema/fsaadc/fkreference/overview.md +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/fkreference/overview.md @@ -2,7 +2,7 @@ ## Complete Foreign Key Listing -| FK Name | Parent Table | Parent Column(s) | Referenced Table | Referenced Column(s) | On Delete | +| FK Name | Parent Table | Parent Columns | Referenced Table | Referenced Columns | On Delete | |---|---|---|---|---|---| | FK_SA_FSAA_ImportHistory_HOST | SA_FSAA_ImportHistory | HOST | SA_FSAA_Hosts | ID | CASCADE | | FK_SA_FSAA_Trustees_HOST | SA_FSAA_Trustees | HOST | SA_FSAA_Hosts | ID | CASCADE | diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/functions/overview.md b/docs/accessanalyzer/11.6/admin/schema/fsaadc/functions/overview.md index 7c9cdbc963..452cddfb87 100644 --- a/docs/accessanalyzer/11.6/admin/schema/fsaadc/functions/overview.md +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/functions/overview.md @@ -12,7 +12,7 @@ All functions and procedures live in the `dbo` schema. Most of the table-valued **Type:** Scalar function -**Description:** Walks the parent chain in `SA_FSAA_Resources` and concatenates names with the appropriate delimiter (`/` for Unix resources of type 5/6, `\` for everything else) to produce the full resource path. Returns NULL if the resource is not found. +**Description:** Walks the parent chain in `SA_FSAA_Resources` and concatenates names with the appropriate delimiter (`/` for Unix resources of type 5/6, `\` for everything else) to produce the full resource path. Returns NULL if the resource isn't found. --- @@ -32,7 +32,7 @@ All functions and procedures live in the `dbo` schema. Most of the table-valued **Type:** Scalar function -**Description:** Returns 1 if the trustee is a (recursive) member of the group, else 0. Encodes well-known fast paths for `Everyone (S-1-1-0)`, `Authenticated Users (S-1-5-11)` (excluding Guest, Anonymous, and Domain Computers), and `Domain Users (S-1-5-21-...-513)`. Falls back to `SA_FSAA_GetTrusteeMembership` when the relationship cannot be answered by a fast path. +**Description:** Returns 1 if the trustee is a (recursive) member of the group, else 0. Encodes well-known fast paths for `Everyone (S-1-1-0)`, `Authenticated Users (S-1-5-11)` (excluding Guest, Anonymous, and Domain Computers), and `Domain Users (S-1-5-21-...-513)`. Falls back to `SA_FSAA_GetTrusteeMembership` when the relationship can't be answered by a fast path. --- @@ -62,7 +62,7 @@ All functions and procedures live in the `dbo` schema. Most of the table-valued **Type:** Inline table-valued function -**Description:** Returns a single row of trustee identity. For local trustees the values come from `SA_FSAA_LocalTrustees`; for domain trustees they come from the AD inventory's `SA_ADInventory_*` tables matched by SID (handling SID History when `IsHistoricalSID = 1`). The function does not project the SID — callers pass it in via `@objectSID` and the wrapper `SA_FSAA_GetTrusteeInformation` re-emits it from `SA_FSAA_Trustees`. +**Description:** Returns a single row of trustee identity. For local trustees the values come from `SA_FSAA_LocalTrustees`; for domain trustees they come from the AD inventory's `SA_ADInventory_*` tables matched by SID (handling SID History when `IsHistoricalSID = 1`). The function doesn't project the SID — callers pass it in via `@objectSID` and the wrapper `SA_FSAA_GetTrusteeInformation` re-emits it from `SA_FSAA_Trustees`. --- diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/views/overview.md b/docs/accessanalyzer/11.6/admin/schema/fsaadc/views/overview.md index dfb327155a..63efdbc8f3 100644 --- a/docs/accessanalyzer/11.6/admin/schema/fsaadc/views/overview.md +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/views/overview.md @@ -252,7 +252,7 @@ For views, column sizes are derived from the underlying source columns and the S | ResourceTypeDescription | varchar | 6 | Yes | Computed (CASE) | | | ResourceDeletedUSN | int | | Yes | SA_FSAA_Resources.DeletedUSN | | | ResourcePath | nvarchar | 4000 | Yes | SA_FSAA_Paths.Path | Local resource path | -| NetworkPath | nvarchar | 4000 | Yes | Computed (see logic above) | UNC path or NFS-style path | +| NetworkPath | nvarchar | 4000 | Yes | Computed (see Network-path logic) | UNC path or NFS-style path | | NestedLevel | int | | Yes | Computed (`r.NestedLevel - g.NestedLevel`) | Depth from share root | --- @@ -340,7 +340,7 @@ For views, column sizes are derived from the underlying source columns and the S | ExceptionName | varchar | 128 | No | SA_FSAA_ExceptionTypes.Name | | | GateID | int | | Yes | SA_FSAA_Exceptions.GateID | | | ResourceID | bigint | | Yes | SA_FSAA_Exceptions.ResourceID | | -| Path | nvarchar | 4000 | Yes | Computed (see logic above) | UNC path / resource path / NULL | +| Path | nvarchar | 4000 | Yes | Computed (see Path logic) | UNC path / resource path / NULL | | TrusteeID | int | | Yes | SA_FSAA_Exceptions.TrusteeID | | | TrusteeSID | varchar | 184 | Yes | SA_FSAA_Trustees.SID | | | TrusteeType | smallint | | Yes | SA_FSAA_Trustees.TrusteeType | | @@ -549,7 +549,7 @@ For views, column sizes are derived from the underlying source columns and the S **Description:** Surface view over `SA_FSAC_PermissionChanges` that resolves the affected trustee and decodes the ACL / ACE / inheritance / access-rights bitmasks into descriptive strings. :::note -This view does not join `SA_FSAC_ActivityEvents` or `SA_FSAA_Resources` — the access time and resource path are not exposed; reports needing them must join `SA_FSAC_ActivityEvents` themselves. +This view doesn't join `SA_FSAC_ActivityEvents` or `SA_FSAA_Resources` — the access time and resource path aren't exposed; reports needing them must join `SA_FSAC_ActivityEvents` themselves. ::: **Source tables:** `SA_FSAC_PermissionChanges`, `SA_FSAA_Hosts`, UDF `SA_FSAA_GetTrusteeInformation`. From eb536b829efb13e599441f2f7634a5f1701605bd Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Wed, 6 May 2026 20:55:20 +0000 Subject: [PATCH 3/3] fix(vale): auto-fix style issues (Vale + Dale) --- .../11.6/admin/schema/fsaadc/coretables/overview.md | 12 ++++++------ .../11.6/admin/schema/fsaadc/erd/overview.md | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/coretables/overview.md b/docs/accessanalyzer/11.6/admin/schema/fsaadc/coretables/overview.md index 32228d8268..67a8be7792 100644 --- a/docs/accessanalyzer/11.6/admin/schema/fsaadc/coretables/overview.md +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/coretables/overview.md @@ -531,7 +531,7 @@ This table is intentionally append-only with no primary key, foreign keys, or in ## Activity Collector Tables (SA_FSAC_*) {#activity-collector-tables-sa_fsac_} -The following tables are produced by the **File System Activity Collector**. They capture audit events streamed from agents on the file servers and roll those events up into daily-activity aggregates and exception detections. +The **File System Activity Collector** produces the following tables. They capture audit events streamed from agents on the file servers and roll those events up into daily-activity aggregates and exception detections. ### SA_FSAC_ProcessNames {#sa_fsac_processnames} @@ -630,7 +630,7 @@ The following tables are produced by the **File System Activity Collector**. The ### SA_FSAC_DailyActivity {#sa_fsac_dailyactivity} -**Description:** Daily aggregation of activity-event counts, partitioned by `(host, date, folder, trustee, operation, allow)`. The folder ID is the *containing folder* for the operation, so each row counts how many operations of a given type a trustee performed in a folder on a given day. This table feeds the daily-activity views and the *Most Active Users* / *Most Active Servers* reports. +**Description:** Daily aggregation of activity-event counts, partitioned by `(host, date, folder, trustee, operation, allow)`. The folder ID is the *containing folder* for the operation, so each row counts how many times a trustee performed a given operation type in a folder on a given day. This table feeds the daily-activity views and the *Most Active Users* / *Most Active Servers* reports. | Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | |---|---|---|---|---|---|---|---| @@ -755,7 +755,7 @@ No foreign keys are declared on this table; `GateID`, `TrusteeID`, `ResourceID`, ## Sensitive Data Tables (SA_FSDLP_*) {#sensitive-data-tables-sa_fsdlp_} -The following tables are produced by the **Sensitive Data / DLP collector**. They capture matches against configured DLP criteria, including per-match excerpt context and links to the subject-profile system that ties hits to specific identities. +The **Sensitive Data / DLP collector** produces the following tables. They capture matches against configured DLP criteria, including per-match excerpt context and links to the subject-profile system that ties hits to specific identities. ### SA_FSDLP_ImportHistory {#sa_fsdlp_importhistory} @@ -782,7 +782,7 @@ The following tables are produced by the **Sensitive Data / DLP collector**. The |---|---|---|---|---|---|---|---| | HOST | int | | No | PK | FK → SA_FSAA_Hosts.ID | | Host partition | | ID | int | | No | PK | | | Per-host criterion ID | -| Name | nvarchar | 256 | No | | | | Criterion name (for example, "US Social Security Number") | +| Name | nvarchar | 256 | No | | | | Criterion name (for example, "U.S. Social Security Number") | | Risk | int | | No | | | `0` | Risk score | | pattern_guid | uniqueidentifier | | Yes | | | | Global criterion GUID | @@ -873,7 +873,7 @@ The `SA_SubjectProfile_*` tables are owned by the central Subject Profile module ## DFS Namespace Tables (SA_FSDFS_*) {#dfs-namespace-tables-sa_fsdfs_} -The following tables are produced by the **DFS Namespace collector**. They capture Microsoft DFS namespaces and the links that map DFS paths to underlying physical shares. +The **DFS Namespace collector** produces the following tables. They capture Microsoft DFS namespaces and the links that map DFS paths to underlying physical shares. ### SA_FSDFS_Namespaces {#sa_fsdfs_namespaces} @@ -916,7 +916,7 @@ The following tables are produced by the **DFS Namespace collector**. They captu | Timeout | int | | Yes | | | | DFS-link cache timeout | | DfsGuid | uniqueidentifier | | Yes | | | | DFS link's unique identifier | | Comment | nvarchar | 1024 | Yes | | | | Free-text comment | -| IsRoot | bit | | No | | | | True if this link represents the namespace root rather than a sub-link | +| IsRoot | bit | | No | | | | True if the DFS link represents the namespace root rather than a sub-link | **Primary Key:** `PK_SA_FSDFS_Links` — clustered on `(HOST, ID)` diff --git a/docs/accessanalyzer/11.6/admin/schema/fsaadc/erd/overview.md b/docs/accessanalyzer/11.6/admin/schema/fsaadc/erd/overview.md index 37fa8ca0bc..071b371c04 100644 --- a/docs/accessanalyzer/11.6/admin/schema/fsaadc/erd/overview.md +++ b/docs/accessanalyzer/11.6/admin/schema/fsaadc/erd/overview.md @@ -12,7 +12,7 @@ Tables not shown in any diagram (no foreign keys): `SA_FSAA_SchemaVer` (single-r ## Top-level Partitioning -`SA_FSAA_Hosts` is the root of the schema. Every other table includes a `HOST` column whose foreign key cascades on delete, so removing a host atomically purges its entire data set. The following diagrams are **representative, not exhaustive** — they show the parent tables for each subsystem; the per-subsystem diagrams later in this section cover the remaining HOST-partitioned tables (for example, `SA_FSAA_Rights`, `SA_FSAA_LocalTrustees`, `SA_FSAA_GatesProxy`, `SA_FSAA_Policies`, the four `SA_FSAA_File*` aggregations, and every `SA_FSAC_*` / `SA_FSDLP_*` / `SA_FSDFS_*` table). +`SA_FSAA_Hosts` is the root of the schema. Every other table includes a `HOST` column whose foreign key cascades on delete, so removing a host atomically purges its entire data set. The following diagrams are **representative, not exhaustive** — they show the parent tables for each subsystem; the per-subsystem diagrams that follow cover the remaining HOST-partitioned tables (for example, `SA_FSAA_Rights`, `SA_FSAA_LocalTrustees`, `SA_FSAA_GatesProxy`, `SA_FSAA_Policies`, the four `SA_FSAA_File*` aggregations, and every `SA_FSAC_*` / `SA_FSDLP_*` / `SA_FSDFS_*` table). **Core subsystem roots:**