Go Up
You are here: AdministrationMonitored Object Types, Actions, and AttributesSharePoint

Object Types and Attributes Monitored on SharePoint

Review a full list of object types and attributes Netwrix Auditor can collect on SharePoint.

NOTE: The attributes marked with * are reported without details, only the fact of change is reported.

The changes to object types marked with ** are reported with the "Not applicable" value in the "Who" and "Workstation" columns.

The changes to object types and attributes marked with *** are reported with the "Not applicable" value in the "Workstation" column.

Read access is reported for documents and lists and displays "Not applicable" in the "Workstation" column.

Object type Attributes

Group***

  • Membership

Permission Level***

  • Permissions

Site

  • Site URL
  • Permissions***
  • Permission Inheritance***

List

  • Permissions***
  • Permission Inheritance***

List Item

  • Attachments
  • Permissions***
  • Permission Inheritance***

  • List Item Properties*

Document

  • Document URL
  • Permissions***
  • Permission Inheritance***

  • Document Properties*
  • Content Modifications*

Farm**

  • Configuration Database

  • Configuration Database Server

  • Version

  • Managed Account for "Web Application Pool - {name}"

  • Managed Account for "Service Application Pool - {name}"

  • Managed Account for "Windows Service - {name}"

  • Managed Account for "Farm Account"

  • Managed Accounts

Web Application **

  • Web Application URL
  • Name

  • Port

  • User Permissions

  • Alternate Access Mappings

  • Content Database

  • Blocked File Extensions

Site Collection**

  • Site Collection URL

  • Content Database

  • Content Database Server

  • Site Storage Maximum Limit

  • Site Storage Warning Limit

  • Sandboxed Solutions Resource Maximum Quota

  • Sandboxed Solutions Resource Warning Quota

  • Quota Template

  • Lock Status

Server**

  • Name

Service**

  • Name
  • Status

Permission Policy Level**

  • Name
  • Grant Permissions

  • Deny Permissions

  • Site Collection Permissions

User Policy**

  • Display Name
  • Permissions

Anonymous Policy**

  • Zone
  • Permissions

Farm Solution**

  • Name

  • Status

  • Last Operation Time

Farm Feature**

  • Name
  • Status

To collect State-in-Time data from a SharePoint farm, the following is required:

  • for site collection processing – lock status must differ from No access for Netwrix Auditor service account
  • for web application processing – the following permissions must be assigned to Netwrix Auditor service account:
    • Open items
    • View items
    • Browse directories
    • View pages
    • Browse user information
    • Open
    • Enumerate permissions

Means Granted

The Means granted column in the Account Permissions in SharePoint and SharePoint Object Permissions State-in-Time reports list detailed permissions and permission levels by user account.

Review the following for additional information:

Means granted Description

Permission level

Default permission levels are predefined sets of permissions that you can assign to individual users, groups of users, or security groups, based on their functional requirements and on security considerations.

SharePoint Server permission levels are defined at the site collection level; by default, they are inherited from the parent object.

For more information on SharePoint permissions and permission levels read the following Microsoft article: User permissions and permission levels in SharePoint Server.

Zone: Default (policy)

Zone: Intranet (policy)

Zone: Internet (policy)

Zone: Custom (policy)

Zone: Extranet (policy)

Zone

If you want to expose the same content in a web application to different types of users by using additional URLs or authentication methods, you can extend an existing web application into a new zone. When you extend the web application into a new zone, you create a separate Internet Information Services (IIS) web site to serve the same content, but with a unique URL and authentication type.

For more information on SharePoint zones read the following Microsoft article: SharePoint 2016: Extend A Web Application.

Policies

Web application policies represent a concept that allows SharePoint administrators to grant or deny permissions to users and groups for sites under a web application. These granted or denied permissions take preference over the permissions set for the sites in the web application.

For more information on SharePoint web application policies read the following Microsoft article: Manage permissions for a web application in SharePoint Server.

Site collection administrator

The SharePoint site collection administrator is a permission type that overrides Full Control permission. It cannot be locked out of any subsite, list, library, item, or page on the site. The permissions inheritance for any of these elements can be broken at any time, and permissions can be changed so that even users with Full Control will have lesser permissions or even no permissions at all. In all cases the SharePoint site collection administrator will always have full access to all elements and all data.

For more information, read the following Microsoft article: Change site collection administrators in SharePoint Server.

Site Collection lock status

Lock statuses apply to a site collection and are used to control the actions allowed on site collection.

For more information on lock statuses, read the following Microsoft article: Manage the lock status for site collections in SharePoint Server.

Web application user permissions

Sites and site collections have a variety of permissions that can be set, such as adding or editing list items or documents. These permissions are normally given to a user by assigning a particular permission level, such as Full Control, Contribute, or View Only. Each individual permission can be enabled or disabled for entire web application.

For more information on web application user permissions, read the following Microsoft article: Manage permissions for a web application in SharePoint Server.

Farm account

Farm account is a service account used to run the Central Administration web site application pool. It has dbo access to the configuration database.

For more information on SharePoint service accounts, read the following Microsoft articles:

Service account for web application pool

Service account for web application pool is used for internal purposes across a SharePoint farm, except for Central administration.

For more information on application pool account, read the following Microsoft article: Application pool account.

Go Up