File System Access Data Collector Schema

Overview

This is a comprehensive schema documentation for the NAA 11.6 File System Access Data Collector (FSAA). The FSAA data collector audits Windows and NFS file systems for permissions, ownership, content, activity, and sensitive-data classification. FSAA scans Windows servers, NetApp / EMC / Dell filers, and Linux/Unix hosts; normalizes the security model into a unified per-host identity space; and writes the results to the central database.

This documentation covers four collector modules that share one schema:

• SA_FSAA_ — File System Access Analyzer: file / folder / share inventory, NTFS and share permissions, file-content statistics (sizing, types, ages), ownership, and tags.
• SA_FSAC_ — File System Activity Collector: file-system audit events (read / add / update / delete / permission-change / rename), aggregated daily activity, permission-change details, and exception detection.
• SA_FSDLP_ — Sensitive Data / Data Loss Prevention: detected matches against DLP criteria, with per-match excerpts and subject-profile linkage.
• SA_FSDFS_ — DFS Namespace mapping: DFS namespaces and links, plus the mapping from DFS paths to the underlying physical shares.

Data model overview

Every core data table is partitioned by host: each table has a HOST INT column that is a foreign key to SA_FSAA_Hosts.ID with ON DELETE CASCADE. Removing a host from SA_FSAA_Hosts therefore atomically purges every collected row for that host across all four modules (FSAA, FSAC, FSDLP, DFS).

Within a host, the canonical secondary keys are:

• Resources — folders / files / shares — keyed by bigint ID (table SA_FSAA_Resources).
• Trustees — security principals seen in ACLs — keyed by int ID (table SA_FSAA_Trustees).
• Gates — entry points such as SMB shares and NFS exports — keyed by int ID (table SA_FSAA_Gates).
• RightsProxyID — a shared dedup key on SA_FSAA_Rights so that many resources sharing identical ACLs all reference one set of permission rows.
• GatesProxyID — analogous dedup pointer from a resource to the gates that grant access to it.
• TagProxyID — analogous dedup pointer from a resource to its set of file tags.

Cross-module integration

SA_FSAA_Resources carries AccessID, ActivityID, and DLPID columns that link a resource into its corresponding rows in the Activity (FSAC) and DLP (FSDLP) tables. Reports that combine permissions, activity, and sensitive-data findings — for example the Open Access and Least Privileged Access reports — join across those columns.

---

Table Relationship Diagrams (ERD)

• Top-level partitioning
• Trustees
• Resources & content aggregations
• Gates and permissions
• Tags
• Exceptions
• Activity collection
• Sensitive data
• DFS namespaces

Core Data Collection Tables

FSAA Tables

• SA_FSAA_SchemaVer
• SA_FSAA_Hosts
• SA_FSAA_ImportHistory
• SA_FSAA_Trustees
• SA_FSAA_LocalTrustees
• SA_FSAA_TrusteeEquivalence
• SA_FSAA_Rights
• SA_FSAA_Tags
• SA_FSAA_TagKeys
• SA_FSAA_TagProxies
• SA_FSAA_Resources
• SA_FSAA_UnixRights
• SA_FSAA_Gates
• SA_FSAA_GatesProxy
• SA_FSAA_Policies
• SA_FSAA_Exceptions
• SA_FSAA_ExceptionTypes
• SA_FSAA_ProbableOwners
• SA_FSAA_FileSizes
• SA_FSAA_FileTypes
• SA_FSAA_FileAges
• SA_FSAA_FileTags
• SA_FSAA_ScanHistory

Activity Collector Tables (SA_FSAC_*)

• SA_FSAC_ProcessNames
• SA_FSAC_ActivityEvents
• SA_FSAC_PermissionChanges
• SA_FSAC_OwnerChanges
• SA_FSAC_DailyActivity
• SA_FSAC_RenameTargets
• SA_FSAC_ExceptionTypes
• SA_FSAC_Exceptions
• SA_FSAC_UserExceptionTypes
• SA_FSAC_UserExceptions

Sensitive Data Tables (SA_FSDLP_*)

• SA_FSDLP_ImportHistory
• SA_FSDLP_Criteria
• SA_FSDLP_Matches
• SA_FSDLP_MatchHits
• SA_FSDLP_MatchHits_SubjectProfile

DFS Namespace Tables (SA_FSDFS_*)

• SA_FSDFS_Namespaces
• SA_FSDFS_Links

Views

FSAA Views

• SA_FSAA_Paths
• SA_FSAA_ResourcesView
• SA_FSAA_PermissionsView
• SA_FSAA_ExpandedPermissionsView
• SA_FSAA_DirectPermissionsView
• SA_FSAA_InheritedPermissionsView
• SA_FSAA_SharesTraversalView
• SA_FSAA_EffectiveAccessView
• SA_FSAA_LocalGroupMembersView
• SA_FSAA_ExceptionsView

Activity Views (SA_FSAC_*)

• SA_FSAC_DailyActivityView
• SA_FSAC_DailyUserActivityView
• SA_FSAC_DailyResourceActivityView
• SA_FSAC_ActivityEventsView
• SA_FSAC_ExceptionsView
• SA_FSAC_UserExceptionsView
• SA_FSAC_PermissionChangesView

Sensitive Data Views (SA_FSDLP_*)

• SA_FSDLP_MatchesView
• SA_FSDLP_MatchHitsView

Enumeration & Lookup Values Reference

• TrusteeType
• ResourceType
• GateType
• Rights Bitmask

Functions & Stored Procedures

FSAA Functions

• SA_FSAA_GetPath
• SA_FSAA_GetTrusteeMembership
• SA_FSAA_IsTrusteeMember
• SA_FSAA_RecurseFolders
• SA_FSAA_WalkTrusteePath
• SA_FSAA_GetTrusteeInformationEx
• SA_FSAA_GetTrusteeInformation
• SA_FSAA_GetResourcePermissions
• SA_FSAA_GetGatePermissions
• SA_FSAA_GetExpandedPermissions
• SA_FSAA_GetExpandedPermissionsEx
• SA_FSAA_GetPolicyMembership
• SA_FSAA_GetLocalGroupMembership
• SA_FSAA_GetEffectiveRights
• SA_FSAA_GetEffectiveRightsEx
• SA_FSAA_GetTrusteePermissionSource
• SA_FSAA_LookupResourcePath
• SA_FSAA_LookupUncPath
• SA_FSAA_UpdateStatistics

Activity Collector Functions (SA_FSAC_*)

• SA_FSAC_GetActiveFolderPermissions
• SA_FSAC_GetFolderActivityMask

DFS Functions (SA_FSDFS_*)

• SA_FSDFS_LookupDfsPath

Index Reference

• Complete Index Listing

Foreign Key Reference

• Complete Foreign Key Listing