Permissions by Data Collector (Matrix)
The Access Analyzer data collectors are capable of collecting information from a variety of sources. Each data collector requires specific protocols, ports, and permissions for the collection of data to occur.
Many data collectors are included as core components. However, some data collectors require specific license features. The following table provides a quick reference for each data collector.
| Data Collector | Description | Protocols | Ports Used | Recommended Permissions |
|---|---|---|---|---|
| ActiveDirectory *requires license | The ActiveDirectory Data Collector audits objects published in Active Directory. | - ADSI - LDAP - RPC | - TCP 389/636 - TCP 135-139 - Randomly allocated high TCP ports | - Member of the Domain Administrators group |
| ADActivity *requires license | The ADActivity Data Collector integrates with the Netwrix Activity Monitor by reading the Active Directory activity log files. | - HTTP - RPC | - TCP 4494 (configurable within the Netwrix Activity Monitor) | - Netwrix Activity Monitor API Access activity data - Netwrix Activity Monitor API Read - Read access to the Netwrix Activity Monitor Log Archive location |
| ADInventory | The ADInventory Data Collector is designed as a highly scalable and useful data collection mechanism to catalogue user, group, and computer object information that can be used by other solutions within Access Analyzer. | - LDAP | - TCP 389 - TCP 135-139 - Randomly allocated high TCP ports | - Read access to directory tree - List Contents & Read Property on the Deleted Objects Container NOTE: See the Microsoft Searching for Deleted Objects article and the Microsoft Dsacls article for additional information. |
| ADPermissions *requires license | The ADPermissions Data Collector collects the advanced security permissions of objects in AD. | - ADSI - LDAP - RPC | - TCP 389 - TCP 135 – 139 - Randomly allocated high TCP ports | - LDAP Read permissions - Read on all AD objects - Read permissions on all AD Objects |
| AWS | The AWS Data Collector collects IAM users, groups, roles, and policies, as well as S3 permissions, content, and sensitive data from the target Amazon Web Services (AWS) accounts. | - HTTPS | - 443 | - To collect details about the AWS Organization, the following permission is required: - organizations:DescribeOrganization - To collect details regarding IAM, the following permissions are required: - iam:GenerateCredentialReport - iam:GenerateServiceLastAccessedDetails - iam:Get* - iam:List* - iam:Simulate* - sts:GetAccessKeyInfo - To collect details related to S3 buckets and objects, the following permissions are required: - s3:Describe* - s3:Get* - s3:HeadBucket - s3:List* |
| AzureADInventory | The AzureADInventory Data Collector catalogs user and group object information from Microsoft Entra ID, formerly Azure Active Directory. This data collector is a core component of Access Analyzer and is preconfigured in the .Entra ID Inventory Solution. | - HTTP - HTTPS - REST | - TCP 80 and 443 | - Microsoft Graph API - Application Permissions: - AuditLog.Read.All – Read all audit log data - Directory.Read.All – Read directory data - Delegated Permissions: - Group.Read.All – Read all groups - User.Read.All – Read all users' full profiles - Access URLs - https://login.windows.net - https://graph.windows.net - https://login.microsoftonline.com - https://graph.microsoft.com - All sub-directories of the access URLs listed |
| Box *requires license | The Box Data Collector audits access, group membership, and content within a Box enterprise. | - HTTP - HTTPS | - TCP 80 - TCP 443 | - Box Enterprise Administrator |
| CommandLineUtility | The CommandLineUtility Data Collector provides the ability to remotely spawn, execute, and extract data provided by a Microsoft native or third-party command line utility. | - Remote Registry - RPC | - TCP 135-139 - Randomly allocated high TCP ports | - Member of the local Administrators group |
| DiskInfo | The DiskInfo Data Collector provides enumeration of disks and their associated properties. | - RPC - WMI | - TCP 135 - Randomly allocated high TCP ports | - Member of the local Administrators group |
| DNS *requires license | The DNS Data Collector provides information regarding DNS configuration and records. | - RPC | - TCP 135 - Randomly allocated high TCP ports | - Member of the Domain Administrators group |
| DropboxAccess *requires license | The DropboxAccess Data Collector audits access, group membership, and content within a Dropbox environment. | - HTTP - HTTPS | - TCP 80 - TCP443 | - Dropbox Team Administrator |
| Entra | The Entra data collector collects Microsoft Entra roles information from the target Microsoft Entra tenant. This data collector is preconfigured in the .Entra ID Inventory solution. | - HTTP - HTTPS - REST | - TCP 80 and 443 | - Microsoft Graph API Application permissions: - RoleManagement.Read.Directory - Resource Manager permissions: - Microsoft.Authorization/roleAssignments/read - Microsoft.Authorization/roleDefinitions/read - Microsoft.Resources/resources/read - Microsoft.Resources/subscriptions/read - Microsoft.Resources/subscriptions/resources/read - Microsoft.Resources/subscriptions/resourceGroups/read - Microsoft.Authorization/providerOperations/read - Microsoft.Management/managementGroups/read |
| EventLog | The EventLog Data Collector provides search and extraction of details from event logs on target systems. | - RPC - WMI | - TCP 135 - Randomly allocated high TCP ports | - Member of the Local Administrators group - Member of the Domain Administrators group (if targeting domain controllers) |
| EWSMailbox *requires license | The EWSMailbox Data Collector provides configuration options to scan mailbox contents, permissions, and sensitive data, and is preconfigured within the Exchange Solution. | - HTTPS - ADSI - LDAP | - TCP 389 - TCP 443 | For Exchange servers: - Exchange Admin Role - Discovery Management Role - Application Impersonation Role - Exchange Online License For Exchange Online: - Exchange Admin Role - Discovery Management Role - Exchange Online License |
| EWSPublicFolder *requires license | The EWSPublicFolder Data Collector provides configuration options to extract public folder contents, permissions, and sensitive data, and is preconfigured within the Exchange Solution. | - HTTPS - ADSI - LDAP | - TCP 389 - TCP 443 | For Exchange servers: - Exchange Admin Role - Discovery Management Role - Application Impersonation Role - Exchange Online License with a mailbox For Exchange Online: - Exchange Admin Role - Discovery Management Role - Exchange Online License with a mailbox |
| Exchange2K *requires license | The Exchange2K Data Collector extracts configuration details from Exchange organizations for versions 2003 and later. | - LDAP - MAPI - PowerShell - RPC - WMI | - TCP 135-139 - Randomly allocated high TCP ports - TCP 389 - Optional TCP 445 | - Member of the Exchange Administrator group - Domain Admin for AD property collection - Public Folder Management |
| ExchangeMailbox *requires license | The ExchangeMailbox Data Collector extracts configuration details from the Exchange Store to provide statistical, content, permission, and sensitive data reporting on mailboxes. | - MAPI - RPC | - TCP 135 - Randomly allocated high TCP ports | - Member of the Exchange Administrator group - Organization Management - Discovery Management |
| ExchangeMetrics *requires license | The ExchangeMetrics Data Collector collects Mail-Flow metrics from the Exchange Message Tracking Logs on the Exchange servers. Some examples of this include server volume and message size statistics. | - RPC - WMI | - TCP 135 - Randomly allocated high TCP ports | - Member of the local Administrator group on the targeted Exchange server(s) |
| ExchangePS *requires license | The ExchangePS Data Collector utilizes the Exchange CMDlets to return information about the Exchange environment utilizing PowerShell. This data collector has been designed to work with Exchange 2010 and newer. | - PowerShell | - TCP 135 - Randomly allocated high TCP ports | For Exchange servers: - Remote PowerShell enabled on a single Exchange server - Windows Authentication enabled for the PowerShell Virtual Directory on the same Exchange server where Remote PowerShell has been enabled - View-Only Organization Management Role Group - Discovery Search Management Role Group - Public Folder Management Role Group - Mailbox Search Role For Exchange Online: - Discovery Management Role - Organization Management Role |
| ExchangePublicFolder *requires license | The ExchangePublicFolder Data Collector audits an Exchange Public Folder, including contents, permissions, ownership, and replicas. | - MAPI - RPC | - TCP 135 - Randomly allocated high TCP ports | - Member of the Exchange Administrator group - Organization Management |
| File | The File Data Collector provides file and folder enumeration, properties, and permissions. | - RPC - WMI | - TCP 135-139 - Randomly allocated high TCP ports - Optional TCP 445 | - Member of the Local Administrators group |
| FileSystemAccess (FSAA) *requires license | The FileSystemAccess (FSAA) Data Collector collects permissions, content, and activity, and sensitive data information for Windows and NAS file systems. | - Remote Registry - WMI | - Ports vary based on the Scan Mode Option selected. See the File System Scan Options topic for additional information. | - Permissions vary based on the Scan Mode Option selected. See the File System Supported Platforms topic for additional information. |
| GroupPolicy | The GroupPolicy Data Collector provides the ability to retrieve the GPO’s list in the domain and where they are linked, return information on configured policies and policy parts from the individual policies that have been selected, return information on selected policy parts from all policies within the domain, and return effective security policies in effect at the individual workstation. | - LDAP - RPC | - TCP 389 - TCP 135-139 - Randomly allocated high TCP ports | - Member of the Domain Administrators group (if targeting domain controllers) - Member of the Local Administrators group |
| INIFile | The INIFile Data Collector provides options to configure a task to collect information about log entries on target hosts. | - RPC | - TCP 135-139 - Randomly allocated high TCP ports - Optional TCP 445 | - Member of the Local Administrators group |
| LDAP | The LDAP Data Collector uses LDAP to query Active Directory returning the specified objects and attributes. | - LDAP | - TCP 389 | - Member of the Domain Administrators group |
| NIS | The NIS Data Collector inventories a NIS domain for user and group information, mapping to Windows-style SIDs. | - NIS | - TCP 111 or UDP 111 - Randomly allocated high TCP ports | - No special permissions are needed aside from access to a NIS server |
| NoSQL | The NoSQL Data Collector for MongoDB provides information on MongoDB Cluster configuration, limited user permissions, scans collections for sensitive data, and identifies who has access to sensitive data. | - TCP/IP | - MongoDB Cluster - Default port is 27017 (A custom port can be configured) | - Read Only access to ALL databases in the MongoDB Cluster including: - Admin databases - Config databases - Local databases - Read Only access to any user databases is required for sensitive data discovery - Read access to NOSQL instance - Read access to MongoDB instance - Requires NOSQL Full-Text and Semantic Extractions for Search feature to be installed on the target NOSQL instances when using the Scans full rows for sensitive data option on the Options wizard page |
| ODBC | Queries ODBC compliant databases for tables and table properties | - OCBC | - TCP 1433 | - Database Read access |
| PasswordSecurity | The PasswordSecurity Data Collector compares passwords stored in Active Directory to known, breached passwords in the Netwrix weak password dictionary or custom dictionaries. The PasswordSecurity Data Collector also checks for common misconfigurations with passwords in Active Directory. | - LDAP | - TCP 389/636 | - At the domain level: - Read - Replicating Directory Changes - Replicating Directory Changes All - Replicating Directory Changes in a Filtered Set - Replication Synchronization |
| PatchCheck | Provides patch verification and optional automatic bulletin downloads from Microsoft | - HTTP - ICMP - RPC | - TCP 135-139 - Randomly allocated high TCP ports - TCP 80 - TCP 7 | - Member of the Local Administrators group |
| Perfmon | Provides performance monitor counter data samples | - RPC | - TCP 135-139 - Randomly allocated high TCP ports | - Member of the Local Administrators group |
| PowerShell | The PowerShell Data Collector provides PowerShell script exit from Access Analyzer. | - PowerShell | - Randomly allocated high TCP ports | - Member of the Domain Administrators group (if targeting domain controllers) - Member of the Local Administrators group |
| Registry | The Registry Data Collector queries the registry and returns keys, key values, and permissions on the keys. | - Remote Registry - RPC | - TCP 135-139 - Randomly allocated high TCP ports | - Member of the Local Administrators group |
| Script | The Script Data Collector provides VB Script exit from Access Analyzer. | - VB Script | - Randomly allocated high TCP ports | - Member of the Local Administrators group - Member of the Domain Administrators group (if targeting domain controllers) |
| Services | The Services Data Collector enumerates status and settings from remote services. | - RPC - WMI | - TCP 135-139 - Randomly allocated high TCP ports | - Member of the Local Administrators group |
| SharePointAccess (SPAA) *requires license | The SharePointAccess (SPAA) Data Collector audits access, group membership, and content within a SharePoint on-premises and SharePoint Online environment. The SPAA Data Collector has been preconfigured within the SharePoint Solution. | - MS SQL - Remote Registry - SP CSOM (Web Services via HTTP & HTTPS) - SP Server API - WCF AUTH via TCP (configurable) | - Ports vary based on the Scan Mode selected and target environment. See the SharePoint Scan Options topic for additional information. | - Permissions vary based on the Scan Mode selected and target environment. See the SharePoint Support topic for additional information. |
| SMARTLog | The SMARTLog Data Collector provides search and extraction of details from Windows Event Logs (online or offline) and Microsoft Exchange Internet Information Server (IIS) logs. | - Log - Remote Event - RPC | - TCP 135 - TCP 445 - Randomly allocated high TCP ports | - Member of the Domain Administrators group (if targeting domain controllers) - Member of the local Administrators group |
| SQL *requires license | The SQL Data Collector provides information on database configuration, permissions, data extraction, application name of the application responsible for activity events, an IP Address or Host name of the client server, and sensitive data reports. This data collector also provides information on Oracle databases including infrastructure and operations. | TCP | For Db2 Target: - Specified by Instances table (default is 5000) For MySQL Target: - Specified by Instances table (default is 3306) For Oracle Target: - Specified by Instances table (default is 1521) For PostgreSQL Target: - Specified by Instances table (default is 5432) For SQL Target: - Specified by Instances table (default is 1433) | For MySQL Target: - Read access to MySQL instance to include all databases contained within each instance - Windows Only — Domain Admin or Local Admin privilege For Oracle Target: - User with SYSDBA role - Local Administrator on the target servers – Only applies to Windows Servers and not on Linux or Unix operating systems For PostgreSQL Target: - Read access to all the databases in PostgreSQL cluster or instance - Windows Only — Domain Admin or Local Admin privilege For Redshift Target: - Read-access to the following tables: - pg_tables - pg_user For SQL Target: - For Instance Discovery, local rights on the target SQL Servers: - Local group membership to Remote Management Users - Permissions on the following WMI NameSpaces: root\Microsoft\SQLServer, root\interop - For permissions for data collection: - Read access to SQL instance - Requires SQL Full-Text and Semantic Extractions for Search feature to be installed on the target SQL instance(s) when using the Scan full rows for sensitive data option on the Options wizard page - Grant Authenticate Server to [DOMAIN\USER] - Grant Connect SQL to [DOMAIN\USER] - Grant View any database to [DOMAIN\USER] - Grant View any definition to [DOMAIN\USER] - Grant View server state to [DOMAIN\USER] - Grant Control Server to [DOMAIN\USER] (specifically required for the Weak Passwords Job) |
| SystemInfo | The SystemInfo Data Collector extracts information from the target system based on the selected category. | - Remote Registry - RPC - WMI | - TCP 135-139 - Randomly allocated high TCP ports | - Member of the Local Administrators group |
| TextSearch | The TextSearch Data Collector enables searches through text based log files. | - RPC | - TCP 135-139 - Randomly allocated high TCP ports | - Member of the Local Administrators group |
| Unix *requires license | The Unix Data collector provides host inventory, software inventory, and logical volume inventory on UNIX & Linux platforms. | - SSH | - TCP 22 - User configurable | - Root permissions in Unix/Linux |
| UserGroups *requires license | The UsersGroups Data Collector audits user and group accounts for both local and domain, extracting system policies. | - RPC - SMBV2 - WMI | - TCP 135-139 - Randomly allocated high TCP ports - 445 | - Member of the Local Administrators group - If a less-privileged option is required, you can use a regular domain user that has been added to the Network access: Restrict clients allowed to make remote calls to SAM Local Security Policy - Member of the Domain Administrators group (if targeting domain controllers) |
| WMICollector | The WMICollector Data Collector identifies data for certain types of WMI classes and namespaces. | - RPC - WMI | - TCP 135-139 - Randomly allocated high TCP ports | - Member of the Local Administrators group |