diff --git a/.claude/plans/2026-04-07-derek-skill.md b/.claude/plans/2026-04-07-derek-skill.md new file mode 100644 index 0000000000..03daeea5ff --- /dev/null +++ b/.claude/plans/2026-04-07-derek-skill.md @@ -0,0 +1,1100 @@ +# Derek Skill Implementation Plan + +> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking. + +**Goal:** Create `kb_style_guide.md` at the repo root and the `.claude/skills/derek/` linter skill that enforces it against KB articles in `docs/kb/`. + +**Architecture:** Derek mirrors the dale skill exactly — `SKILL.md` drives a loop over `rules/*.yml` files, each defining one check via `message`, `level`, and `reason` fields. Rules cover frontmatter validation (7), article structure (1), and prose (10). `kb_style_guide.md` is the human-readable source of truth that derek's rules enforce. + +**Tech Stack:** Markdown, YAML, Claude skill conventions (same pattern as `.claude/skills/dale/`) + +**Spec:** `.claude/specs/2026-04-07-derek-design.md` + +--- + +## File map + +| Action | Path | +|---|---| +| Create | `kb_style_guide.md` | +| Create | `.claude/skills/derek/SKILL.md` | +| Create | `.claude/skills/derek/references/rule-schema.yml` | +| Create | `.claude/skills/derek/rules/frontmatter-title.yml` | +| Create | `.claude/skills/derek/rules/frontmatter-description.yml` | +| Create | `.claude/skills/derek/rules/frontmatter-sidebar-label.yml` | +| Create | `.claude/skills/derek/rules/frontmatter-keywords-count.yml` | +| Create | `.claude/skills/derek/rules/frontmatter-products.yml` | +| Create | `.claude/skills/derek/rules/frontmatter-tags-kb.yml` | +| Create | `.claude/skills/derek/rules/frontmatter-knowledge-article-id.yml` | +| Create | `.claude/skills/derek/rules/structure-article-type.yml` | +| Create | `.claude/skills/derek/rules/passive-voice.yml` | +| Create | `.claude/skills/derek/rules/no-please.yml` | +| Create | `.claude/skills/derek/rules/minimizing-difficulty.yml` | +| Create | `.claude/skills/derek/rules/no-note-that.yml` | +| Create | `.claude/skills/derek/rules/impersonal-constructions.yml` | +| Create | `.claude/skills/derek/rules/contractions.yml` | +| Create | `.claude/skills/derek/rules/title-case-headings.yml` | +| Create | `.claude/skills/derek/rules/business-jargon.yml` | +| Create | `.claude/skills/derek/rules/descriptive-links.yml` | +| Create | `.claude/skills/derek/rules/undefined-jargon.yml` | + +--- + +## Task 1: Create feature branch + +**Files:** none + +- [ ] **Step 1: Verify you are on dev and it is up to date** + +```bash +cd "/Users/hilaryramirez/Documents/KB projects/docs" +git checkout dev +git pull origin dev +``` + +Expected: `Already up to date.` or a list of pulled commits. + +- [ ] **Step 2: Create and check out the feature branch** + +```bash +git checkout -b feature/derek-skill +``` + +Expected: `Switched to a new branch 'feature/derek-skill'` + +- [ ] **Step 3: Verify** + +```bash +git branch +``` + +Expected: `* feature/derek-skill` is the active branch. + +--- + +## Task 2: Create `kb_style_guide.md` + +**Files:** +- Create: `kb_style_guide.md` (repo root, alongside `netwrix_style_guide.md`) + +This file is the authoritative style reference for KB articles. Derek's rules enforce it. It is based on the internal wiki KB style guide with documented additions and overrides. + +- [ ] **Step 1: Create `kb_style_guide.md`** + +Write the following content to `kb_style_guide.md` at the repo root: + +````markdown +# Netwrix KB Style Guide + +This guide establishes writing standards for Netwrix Knowledge Base (KB) articles. KB articles are written by Technical Support Engineers (TSEs) and live in `docs/kb//` in the documentation repository. + +This guide is enforced by the `derek` linter skill (`/derek `). + +> **Important for documentation contributors:** This guide conflicts with the Netwrix docs style guide (`netwrix_style_guide.md`) on two points — contractions and heading case. Do not apply docs style guide rules to KB articles. Do not run `/dale` on KB files. + +| Topic | KB rule | Docs rule | +|---|---|---| +| Contractions | Write out in full: "do not", "cannot", "you will" | Use contractions: "don't", "can't", "you'll" | +| Heading case | Title case (Chicago style) | Sentence case | + +--- + +## Article Types + +KB articles follow one of two primary types. + +### How-To Articles + +How-to articles provide step-by-step guidance for accomplishing specific tasks. + +**Title format:** `[Action Gerund] [Specific Task]` — start with a gerund, no "How to" prefix, no question mark. + +- Good: `Modifying SSRS Report Timeouts` +- Good: `Auditing a Non-trusted Domain` +- Bad: `How to Modify SSRS Report Timeouts?` (starts with "How to", ends with question mark) +- Bad: `Auditing a non-trusted domain` (sentence case) + +**Formats:** + +- **Instructions format** — for complex procedures: sections are `## Overview` and `## Instructions` +- **Question and Answer format** — for simple procedures: sections are `## Question` and `## Answer` + +### Resolution Articles + +Resolution articles help customers troubleshoot specific errors or unexpected behavior. + +**Error Resolution** — for specific error codes or messages. + +- Title format: `Error: [Unique Error Code/Message]` +- Include only the most unique part of the error message in the title. If the error message itself contains the word "error," do not start the title with "Error:". +- Good: `Error: Event Collection Failed 0x80004005` +- Bad: `Error: Can't Process Request` (too generic) + +**Symptom Resolution** — for unexpected behavior that does not produce an explicit error. + +- Title format: `[Feature or Component] [Symptom or Issue] [Optional: Condition or Context]` +- Good: `Active Directory Users Missing from Search Results` +- Bad: `AD not working right` (too vague) + +Both resolution article formats use sections: `## Symptom` (or `## Symptoms`), `## Cause` (or `## Causes`), `## Resolution` (or `## Resolutions`). + +--- + +## Article Structure + +### Section limits + +Articles should not exceed five main H2 headings. + +### Optional sections for all article types + +**Related Query / Related Queries** — place as the first section when applicable. Include exact wording from customer support ticket subjects (correcting only typos). Helps with searchability and surfaces real customer language. + +**Related Links** — place at the end. List all relevant links referenced in the article. + +### Heading hierarchy + +- The article title is always H1 (`#`) +- Main section headings are H2 (`##`) +- Subsections are H3 (`###`) and H4 (`####`) +- Do not skip heading levels + +--- + +## Article Titles + +- **Use title case.** Use [capitalizemytitle.com](https://capitalizemytitle.com/) (Chicago style) if you are unsure. +- **Do not include product names in titles.** Product names belong in the `products` frontmatter field. +- **Use keywords customers will search for,** especially words from customer ticket subjects. +- **Include unique identifiers** like error codes. +- **Avoid vague or generic titles.** The clearer the title, the more findable it is. + +--- + +## Voice and Tone + +### General principles + +- Use second person ("you") when addressing the reader. +- Write in active voice rather than passive voice. + - Do: "The agent collects the log." + - Do not: "The log is collected by the agent." +- Be direct, clear, and concise. +- Maintain a professional but approachable tone. +- Do not use humor — it rarely translates across cultures. + +### Words and phrases to avoid + +- **Minimize difficulty:** Do not use "simply," "just," "easily," "basically," or "obviously." These minimize the difficulty of what the reader is trying to do. + - Do: "Configure the monitoring plan." + - Do not: "Simply configure the monitoring plan." + +- **"Please":** Do not use "please" in instructions. Be direct. + - Do: "Enter your credentials." + - Do not: "Please enter your credentials." + +- **Inline "note that" / "please note":** Do not use these inline in body text. Use a blockquote callout instead. + - Do: `> **NOTE:** The redirect URI is case-sensitive.` + - Do not: "Note that the redirect URI is case-sensitive." + - Do not: "Please note that the redirect URI is case-sensitive." + +- **Impersonal constructions:** Avoid "it is recommended," "it is necessary," "it is possible," "it is required," "it is advised," and "it is suggested." Rewrite with an active subject or a direct imperative. + - Do: "Netwrix recommends running the server as an IIS website." + - Do: "Restrict the maximum server memory value to prevent performance issues." + - Do not: "It is recommended to run the server as an IIS website." + - Do not: "It is necessary to restrict the maximum server memory value." + +- **Business jargon:** Do not use "utilize" or "utilise" (use "use"), "leverage" as a verb in non-financial contexts, or "synergy." + +- **Colloquialisms and idioms:** Avoid phrases that may not translate across cultures (for example, use "stop loading" instead of "hang"). + +### Jargon and acronyms + +Define technical terms and acronyms on first use. Do not assume the reader knows product-specific abbreviations. + +- Do: "Configure the File System Access Audit (FSAA) monitoring plan. FSAA collects data from file servers." +- Do not: "Configure the FSAA monitoring plan." + +--- + +## Contractions + +**Write contractions out in full.** This is a KB-specific rule that differs from the Netwrix docs style guide. + +- Do: "do not", "cannot", "you will", "it is", "there is", "that is", "is not", "are not", "was not", "were not", "has not", "have not", "had not", "does not", "did not", "would not", "should not", "could not" +- Do not: "don't", "can't", "you'll", "it's", "there's", "that's", "isn't", "aren't", "wasn't", "weren't", "hasn't", "haven't", "hadn't", "doesn't", "didn't", "wouldn't", "shouldn't", "couldn't" + +--- + +## Article Length + +- Focus on one topic per article. +- Place the most important information first. +- Keep paragraphs to 3–4 sentences maximum. +- Use bullet points and numbered lists for readability. +- One idea per paragraph. +- Use meaningful subheadings every 200–300 words. + +--- + +## Headings and Subheadings + +- **Use title case.** This is a KB-specific rule that differs from the Netwrix docs style guide, which uses sentence case. + - Capitalize all words except: articles (a, an, the), coordinating conjunctions (and, but, or, nor, for, so, yet), and prepositions of four letters or fewer — unless they open or close the heading. + - Capitalize prepositions that are part of a phrasal verb (for example, "Set Up"). + - Use [capitalizemytitle.com](https://capitalizemytitle.com/) (Chicago style) to check. +- Avoid passive voice in headings. +- Avoid punctuation marks in headings. +- H2 for main article sections. H3 and H4 for subsections. Do not skip levels. + +--- + +## Frontmatter + +All KB articles must begin with a frontmatter block. + +### Required fields + +| Field | Description | +|---|---| +| `title` | The full article title, as a quoted string. Must match the H1 heading exactly. | +| `description` | A short, SEO-friendly summary (1–2 sentences). Use `>-` for multiline values. | +| `sidebar_label` | Matches the article title. May be shortened if the title is very long. | +| `keywords` | 8–12 relevant technical and product search terms, as a YAML list. | +| `products` | One or more product IDs from the product names table, as a YAML list. | +| `tags` | YAML list. **Must include `kb`.** See note below. | +| `knowledge_article_id` | The Salesforce Knowledge Article ID. Format: `kA` followed by alphanumeric characters (for example, `kA0Qk000000XXXXKAA`). | + +### The `tags: [kb]` requirement + +The wiki KB style guide marks `tags` as optional. **This is overridden for the Netwrix documentation repository.** The `tags` field must be present and must include `kb` for all KB articles. + +This requirement exists because Algolia (the site's search provider) indexes the `tags` field automatically. Including `kb` in every KB article's tags enables KB-specific filtering in search results. No Algolia configuration changes are required — the crawler picks up the field automatically. + +### Example frontmatter block + +```yaml +--- +description: >- + When the 2-FSAA Bulk Import job returns a SQL logic error, the database + structure map is likely corrupted. This article describes causes and + provides two resolutions. +keywords: + - bulk import + - SQL logic error + - strucmap + - 2-FSAA + - FileSystem + - reset hosts + - repair database + - Netwrix Access Analyzer + - NEA +products: + - enterprise_auditor +sidebar_label: 'Bulk Import Error: SQL Logic Error Unknown Database Strucmap' +tags: + - kb +title: "Bulk Import Error: SQL Logic Error Unknown Database Strucmap" +knowledge_article_id: kA0Qk0000001msDKAQ +--- +``` + +--- + +## Punctuation + +Follow Chicago Manual of Style (CMOS) for all punctuation. + +- **Serial comma:** Use a comma before "and" or "or" in a series of three or more items. +- **Contractions:** Write out in full (see Contractions section above). +- **Exclamation marks:** Avoid, even in warnings. +- **Colons:** Use only at the end of complete sentences to introduce lists or explanations. Capitalize the first word after a colon only if it begins a complete sentence. +- **Semicolons:** Use to separate closely related independent clauses, or to separate complex list items that contain commas. +- **Hyphens:** Use for compound modifiers before nouns (for example, "well-known feature"). +- **En dashes:** Use for ranges (for example, "pages 10–15"). +- **Em dashes:** Use for abrupt changes in thought or emphasis. Do not add spaces around em dashes. +- **Parentheses:** Use sparingly for supplementary information that would interrupt the main text. +- **List items:** End each item with consistent punctuation. If items are complete sentences, end with a period. If items are fragments, omit periods from all items. + +--- + +## Markup Conventions + +- `##`, `###`, `####` for H2, H3, H4 headings (the article title is always H1) +- `[Link text](URL)` for hyperlinks +- `![alt text](image_url)` for images +- `1.` for ordered lists, `-` or `*` for unordered lists +- Fenced code blocks (triple backticks) for block-level code, commands, error messages, and paths to be copied. Specify the language after the opening backticks when possible. +- Single backticks for inline code when content does not need to be copied +- `**bold**` for UI elements, buttons, menu items, tabs, checkboxes, dropdown options, navigation steps, and form field names +- Blockquote callouts for notes and warnings: + +```markdown +> **NOTE:** Supplementary information the reader should be aware of. + +> **IMPORTANT:** Critical information that could cause issues if ignored. +``` + +Do not use inline "note that" or "please note" in body text. Use a blockquote callout instead. + +--- + +## Links + +### Internal links + +- Do not use generic link text such as "click here," "read more," "learn more," "see more," or "this link." Write text that describes where the link goes. + - Do: `See [Configuring the Data Collection Account](../config.md) for setup steps.` + - Do not: `Click [here](../config.md) for details.` +- Link to the latest version of any referenced article. +- When referring to a subsection, name the subsection and its parent section. + +### External links + +Format external links with a middot and arrow after the company name: + +```markdown +[SMB Security Enhancements ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-security) +``` + +--- + +## Screenshots + +- Use red rectangles only for markup. No arrows, circles, or highlights. +- No more than two shapes per screenshot. +- Add descriptive alt text to all images. Alt text formula: `[Action being shown] + [Key UI elements visible]`. + - Example: `Dialog box for selecting monitoring plan settings with the Schedule tab active` +- Write all steps clearly in the article body. The article must be followable without screenshots. +- Images work poorly inside lists due to platform formatting constraints. Place images after the list ends where possible. + +--- + +## Lists + +- Capitalize the first word of each list item. +- Use consistent punctuation across all items: either all items end with a period, or none do. +- Use unordered lists for unordered recommendations or options. +- Use ordered lists for sequential steps. +- Minimize nesting. Second-level lists are rarely needed — start a new paragraph instead. + +--- + +## Accessibility + +- Maintain a logical heading structure. Do not skip heading levels. +- Use descriptive link text (see Links section). +- Add alt text to all images (see Screenshots section). +- Do not use color alone to convey meaning. + +--- + +## Optimizing for AI Retrieval (RAG) + +- Define technical terms clearly on first use. +- Use consistent terminology throughout — do not use synonyms for technical terms. +- Create logical, self-contained sections that can be understood independently. +- Use descriptive subheadings that convey the main point of each section. +- Avoid ambiguous pronoun references ("it," "this," "that") — use the noun instead. + +--- + +## Product Names + +Use the following names in KB articles. Do not use abbreviations such as "NA" for Netwrix Auditor. + +| Full Product Name | Short Product Name | Product ID (for `products` field) | +|---|---|---| +| Netwrix Activity Monitor | Activity Monitor | `activity_monitor` | +| Netwrix 1Secure | 1Secure | `onesecure` | +| Netwrix Auditor | Auditor | `auditor` | +| Netwrix Change Tracker | Change Tracker | `change_tracker` | +| Netwrix Data Classification | Data Classification | `data_classification` | +| Netwrix Directory Manager | Directory Manager | `groupid` | +| Netwrix Endpoint Protector | Endpoint Protector | `endpoint_protector` | +| Netwrix Log Tracker | Log Tracker | `log_tracker` | +| Netwrix Password Policy Enforcer | Password Policy Enforcer | `password_policy_enforcer` | +| Netwrix Password Reset | Password Reset | `password_reset_manager` | +| Netwrix Password Secure | Password Secure | `password_secure` | +| Netwrix Endpoint Policy Manager | Endpoint Policy Manager | `policypak` | +| Netwrix Endpoint Privilege Manager | Endpoint Privilege Manager | `privilege_secure_endpoints` | +| Netwrix Privilege Secure for Access Management | Privilege Secure for Access Management | `privilege_secure` | +| Netwrix Privilege Secure for Discovery | Privilege Secure for Discovery | `privilege_secure_discovery` | +| Netwrix Recovery for Active Directory | Recovery for Active Directory | `recovery_ad` | +| Netwrix Access Analyzer | Access Analyzer | `enterprise_auditor` | +| Netwrix Threat Manager | Threat Manager | `threat_manager` | +| Netwrix Threat Prevention | Threat Prevention | `threat_prevention` | +| Netwrix Platform Governance for NetSuite | Platform Governance for NetSuite | `strongpoint_netsuite` | +| Netwrix Platform Governance for Salesforce | Platform Governance for Salesforce | `strongpoint_salesforce` | +| Netwrix Identity Manager | Identity Manager | `usercube` | +| Netwrix Vulnerability Tracker by Greenbone | Vulnerability Tracker | `vulnerability_tracker_gb` | + +### When to use long vs. short product names + +Use the full product name (for example, "Netwrix Auditor"): +- The first time you introduce a product +- With service names (for example, "Netwrix Auditor for File Servers Service") +- With log names (for example, "Netwrix Auditor Health Log") + +Use the short product name (for example, "Auditor"): +- Every subsequent mention after the first +- With "server" and "client" + +Do not use a product name for product components once the product has been introduced (for example, "Audit Database," "Long-Term Archive," "Monitoring plans"). +```` + +- [ ] **Step 2: Verify the file exists at the repo root** + +```bash +ls -la "/Users/hilaryramirez/Documents/KB projects/docs/kb_style_guide.md" +``` + +Expected: file listed with a recent timestamp. + +- [ ] **Step 3: Commit** + +```bash +cd "/Users/hilaryramirez/Documents/KB projects/docs" +git add kb_style_guide.md +git commit -m "docs: add KB style guide as source of truth for derek linter" +``` + +--- + +## Task 3: Create derek skill scaffold and `rule-schema.yml` + +**Files:** +- Create: `.claude/skills/derek/references/rule-schema.yml` +- (Directories created implicitly) + +- [ ] **Step 1: Create directories** + +```bash +mkdir -p "/Users/hilaryramirez/Documents/KB projects/docs/.claude/skills/derek/rules" +mkdir -p "/Users/hilaryramirez/Documents/KB projects/docs/.claude/skills/derek/references" +``` + +- [ ] **Step 2: Create `references/rule-schema.yml`** + +Write the following to `.claude/skills/derek/references/rule-schema.yml`: + +```yaml +$schema: "https://json-schema.org/draft/2020-12/schema" +title: Rule +description: A single linting rule definition for the Derek KB linter. +type: object + +required: + - message + - level + - reason + +properties: + message: + type: string + description: The message displayed when this rule is triggered. + minLength: 1 + + level: + type: string + description: Severity level of the rule violation. + enum: + - suggestion + - warning + - error + + reason: + type: string + description: >- + Explains what to look for when checking this rule. This may describe either a prose + pattern in body text (e.g., "trigger when the writer uses passive voice") or a + structural assertion against the document's frontmatter or heading structure + (e.g., "trigger when the tags field does not contain 'kb'"). Both are valid uses + of this field. + minLength: 1 + +additionalProperties: false + +# Contributor note: +# When adding a new derek rule, the reason field can describe either: +# - A prose pattern: natural language description of what text to flag in the body +# - A structural assertion: what frontmatter field or heading structure to check +# There is no separate schema for structural vs. prose rules — reason handles both. +# Use specific, unambiguous language so the linter knows exactly what to check. +# Example prose reason: "Trigger when the body contains passive voice constructions." +# Example structural reason: "Trigger when the tags field is missing or does not include 'kb'." +``` + +- [ ] **Step 3: Verify** + +```bash +ls "/Users/hilaryramirez/Documents/KB projects/docs/.claude/skills/derek/references/" +ls "/Users/hilaryramirez/Documents/KB projects/docs/.claude/skills/derek/rules/" +``` + +Expected: `rule-schema.yml` in references, empty rules directory. + +- [ ] **Step 4: Commit** + +```bash +cd "/Users/hilaryramirez/Documents/KB projects/docs" +git add .claude/skills/derek/references/rule-schema.yml +git commit -m "feat(derek): add skill scaffold and rule schema" +``` + +--- + +## Task 4: Create `SKILL.md` + +**Files:** +- Create: `.claude/skills/derek/SKILL.md` + +- [ ] **Step 1: Create `SKILL.md`** + +Write the following to `.claude/skills/derek/SKILL.md`: + +```markdown +--- +name: derek +description: Run against KB articles in docs/kb/ to lint for frontmatter, structure, and prose issues against the KB style guide. Use when editing or reviewing any file under docs/kb/. +argument-hint: "[docs/kb/path/to/article.md]" +--- + +# Overview + +You are not a skill or an agent. You are a piece of software — a linter called Derek. Your only job is to lint the input KB article against the rules in Derek's rules engine. Do not talk to the user or discuss anything — Derek is pure input/output software. + +> **Important:** Derek enforces the KB style guide (`kb_style_guide.md`). Do not run `/dale` on KB articles. The KB style guide and the docs style guide (`netwrix_style_guide.md`) conflict on two rules: +> - **Contractions:** KB requires writing them out in full ("do not", "cannot"). Docs encourages contractions ("don't", "can't"). +> - **Heading case:** KB requires title case. Docs requires sentence case. +> Running `/dale` on a KB file will produce contradictory feedback on these rules. + +Derek applies all rules in `./rules/*.yml` against the given document `$1`. Run each rule, then print a single table of all failures at the end. Work in a loop, following the Rules Engine section below for each rule file. + +Your current working directory is always the root of the project. KB articles are always in `docs/kb/` from there. + +# Rules Engine + +- The rule schema is in `./references/rule-schema.yml`. +- All rules are in `./rules/`. + +## Processing loop + +Use TodoWrite and create a Todo for each rule you need to check. Mark each Todo as complete once you have checked the file for that rule. For each Todo: + +1. Read the `reason` for the rule. + > Say: "Reading $rule_name." + +2. Check the document to see if that `reason` has been triggered. + > Say: "Checking $document_name for rule $rule_name." + +3a. If triggered, note the location and the `message` value as a line item in Derek's output table. + > Say: "Violation of rule $rule_name found." + +3b. If not triggered, move on silently. + +# Output + +When finished, print the output table. If no rules were violated, say "Derek found no issues." + +``` +| Line | Rule | Message | Offending Text | +|------|------|---------|----------------| +| 1 | `frontmatter-tags-kb` | The tags field must be present and must include "kb". | `tags: []` | +``` + +**Line number guidance:** +- Frontmatter field missing entirely: use line `1` +- Frontmatter field present but invalid: use the line number of that field +- Structure violation (wrong or missing heading): use the line number of the heading, or line `1` if no relevant heading exists +- Structure violation with missing sections: include the expected heading template in the Message column so the writer can copy it in +- Prose violation: use the line number of the offending text + +# Troubleshooting + +Never respond with anything beyond what you were explicitly asked to respond with — no explanations, no commentary, no suggestions outside the output table. +``` + +- [ ] **Step 2: Verify** + +```bash +ls "/Users/hilaryramirez/Documents/KB projects/docs/.claude/skills/derek/" +``` + +Expected: `SKILL.md`, `references/`, `rules/` + +- [ ] **Step 3: Commit** + +```bash +cd "/Users/hilaryramirez/Documents/KB projects/docs" +git add .claude/skills/derek/SKILL.md +git commit -m "feat(derek): add SKILL.md" +``` + +--- + +## Task 5: Create frontmatter rules (7 files) + +**Files:** +- Create: `.claude/skills/derek/rules/frontmatter-title.yml` +- Create: `.claude/skills/derek/rules/frontmatter-description.yml` +- Create: `.claude/skills/derek/rules/frontmatter-sidebar-label.yml` +- Create: `.claude/skills/derek/rules/frontmatter-keywords-count.yml` +- Create: `.claude/skills/derek/rules/frontmatter-products.yml` +- Create: `.claude/skills/derek/rules/frontmatter-tags-kb.yml` +- Create: `.claude/skills/derek/rules/frontmatter-knowledge-article-id.yml` + +- [ ] **Step 1: Create `frontmatter-title.yml`** + +```yaml +message: "The title field is required and must be a quoted string." +level: error +reason: "This rule triggers when the frontmatter block is missing a title field, or when the title value is not enclosed in double or single quotes." +``` + +- [ ] **Step 2: Create `frontmatter-description.yml`** + +```yaml +message: "The description field is required and must be non-empty." +level: error +reason: "This rule triggers when the frontmatter block is missing a description field, or when the description value is empty or blank." +``` + +- [ ] **Step 3: Create `frontmatter-sidebar-label.yml`** + +```yaml +message: "The sidebar_label field is required and must be non-empty." +level: error +reason: "This rule triggers when the frontmatter block is missing a sidebar_label field, or when the sidebar_label value is empty or blank." +``` + +- [ ] **Step 4: Create `frontmatter-keywords-count.yml`** + +```yaml +message: "The keywords field must contain 8–12 items. Count the list items and adjust accordingly." +level: warning +reason: "This rule triggers when the frontmatter block is missing a keywords field, or when the keywords list contains fewer than 8 or more than 12 items. Count the list items under the keywords key to determine whether the count is in the 8–12 range." +``` + +- [ ] **Step 5: Create `frontmatter-products.yml`** + +```yaml +message: "The products field is required and must contain at least one product ID." +level: error +reason: "This rule triggers when the frontmatter block is missing a products field, or when the products list is empty. See the product names table in kb_style_guide.md for valid product IDs." +``` + +- [ ] **Step 6: Create `frontmatter-tags-kb.yml`** + +```yaml +message: "The tags field must be present and must include \"kb\". This tag enables KB article filtering in Algolia search." +level: error +reason: "This rule triggers when the frontmatter block is missing a tags field, or when the tags list does not include the string value \"kb\". An empty tags list (tags: []) also triggers this rule." +``` + +- [ ] **Step 7: Create `frontmatter-knowledge-article-id.yml`** + +```yaml +message: "The knowledge_article_id field is required and must be a valid Salesforce KB article ID — starts with \"kA\" followed by alphanumeric characters (for example, kA0Qk000000XXXXKAA)." +level: error +reason: "This rule triggers when the frontmatter block is missing a knowledge_article_id field, or when the value does not begin with the letters \"kA\" followed only by alphanumeric characters." +``` + +- [ ] **Step 8: Verify all 7 files exist** + +```bash +ls "/Users/hilaryramirez/Documents/KB projects/docs/.claude/skills/derek/rules/" +``` + +Expected: 7 `frontmatter-*.yml` files listed. + +- [ ] **Step 9: Commit** + +```bash +cd "/Users/hilaryramirez/Documents/KB projects/docs" +git add .claude/skills/derek/rules/frontmatter-*.yml +git commit -m "feat(derek): add frontmatter validation rules" +``` + +--- + +## Task 6: Create structure rule + +**Files:** +- Create: `.claude/skills/derek/rules/structure-article-type.yml` + +- [ ] **Step 1: Create `structure-article-type.yml`** + +```yaml +message: "The article's heading structure does not match the expected structure for its type. See the Message column for the expected headings." +level: warning +reason: >- + This rule infers the article type from the title and checks that the required H2 + headings are present. + + Type inference (check the title field in frontmatter or the H1 heading): + - Title starts with "Error:" → Error Resolution + - Title starts with a gerund ("-ing" verb, e.g., "Configuring...", "Modifying...") or "How to" → How-To + - Everything else → Symptom Resolution + + Required headings by type: + - Error Resolution: ## Symptom (or ## Symptoms), ## Cause (or ## Causes), ## Resolution (or ## Resolutions) + - Symptom Resolution: ## Symptom (or ## Symptoms), ## Cause (or ## Causes), ## Resolution (or ## Resolutions) + - How-To: either (## Overview AND ## Instructions) or (## Question AND ## Answer) + + When one or more required headings are missing, include the full expected heading + template in the Message column of the output table so the writer can copy it directly. + + Template for Error Resolution and Symptom Resolution: + ## Symptom + ## Cause + ## Resolution + + Template for How-To (Instructions format): + ## Overview + ## Instructions + + Template for How-To (Question and Answer format): + ## Question + ## Answer + + Note: heading plurals are acceptable (## Symptoms, ## Causes, ## Resolutions). + Check for the singular and plural forms before flagging a missing heading. +``` + +- [ ] **Step 2: Verify** + +```bash +ls "/Users/hilaryramirez/Documents/KB projects/docs/.claude/skills/derek/rules/" | grep structure +``` + +Expected: `structure-article-type.yml` + +- [ ] **Step 3: Commit** + +```bash +cd "/Users/hilaryramirez/Documents/KB projects/docs" +git add .claude/skills/derek/rules/structure-article-type.yml +git commit -m "feat(derek): add article structure rule" +``` + +--- + +## Task 7: Create prose rules — batch 1 + +**Files:** +- Create: `.claude/skills/derek/rules/passive-voice.yml` +- Create: `.claude/skills/derek/rules/no-please.yml` +- Create: `.claude/skills/derek/rules/minimizing-difficulty.yml` +- Create: `.claude/skills/derek/rules/no-note-that.yml` +- Create: `.claude/skills/derek/rules/impersonal-constructions.yml` + +- [ ] **Step 1: Create `passive-voice.yml`** + +```yaml +message: "Avoid passive voice. Rewrite in active voice." +level: warning +reason: "This rule triggers when a sentence or clause in the article body uses passive voice — that is, when the grammatical subject receives the action rather than performs it. Common patterns: 'is/are/was/were/been + past participle' (e.g., 'the log is collected by the agent', 'the error was caused by'). Do not flag passive voice in quoted error messages or code blocks." +``` + +- [ ] **Step 2: Create `no-please.yml`** + +```yaml +message: "Do not use \"please\" in instructions. Be direct." +level: warning +reason: "This rule triggers when the word \"please\" appears anywhere in the article body text. Do not flag it inside code blocks or quoted error messages." +``` + +- [ ] **Step 3: Create `minimizing-difficulty.yml`** + +```yaml +message: "Do not minimize the difficulty of tasks. Remove this word." +level: warning +reason: "This rule triggers when the article body contains any of the following words used to minimize difficulty or imply the task is obvious: simply, just, easily, basically, obviously. Do not flag these words inside code blocks or quoted error messages." +``` + +- [ ] **Step 4: Create `no-note-that.yml`** + +```yaml +message: "Do not use inline \"note that\" or \"please note\". Use a blockquote callout instead: > **NOTE:** ..." +level: warning +reason: "This rule triggers when the article body contains the phrase \"note that\" or \"please note\" used inline in body text — not inside a blockquote (lines starting with >). If the phrase appears in running prose rather than inside a > **NOTE:** callout block, this rule triggers." +``` + +- [ ] **Step 5: Create `impersonal-constructions.yml`** + +```yaml +message: "Avoid impersonal constructions. Rewrite with an active subject or a direct imperative." +level: warning +reason: "This rule triggers when the article body contains any of the following phrases: \"it is recommended\", \"it is necessary\", \"it is possible\", \"it is required\", \"it is advised\", \"it is suggested\". Do not flag these inside code blocks or quoted error messages." +``` + +- [ ] **Step 6: Verify** + +```bash +ls "/Users/hilaryramirez/Documents/KB projects/docs/.claude/skills/derek/rules/" | grep -E "passive|please|minimizing|note-that|impersonal" +``` + +Expected: 5 files listed. + +- [ ] **Step 7: Commit** + +```bash +cd "/Users/hilaryramirez/Documents/KB projects/docs" +git add .claude/skills/derek/rules/passive-voice.yml \ + .claude/skills/derek/rules/no-please.yml \ + .claude/skills/derek/rules/minimizing-difficulty.yml \ + .claude/skills/derek/rules/no-note-that.yml \ + .claude/skills/derek/rules/impersonal-constructions.yml +git commit -m "feat(derek): add prose rules batch 1 (passive voice, please, minimizing difficulty, note-that, impersonal)" +``` + +--- + +## Task 8: Create prose rules — batch 2 + +**Files:** +- Create: `.claude/skills/derek/rules/contractions.yml` +- Create: `.claude/skills/derek/rules/title-case-headings.yml` +- Create: `.claude/skills/derek/rules/business-jargon.yml` +- Create: `.claude/skills/derek/rules/descriptive-links.yml` +- Create: `.claude/skills/derek/rules/undefined-jargon.yml` + +- [ ] **Step 1: Create `contractions.yml`** + +```yaml +message: "Write contractions out in full in KB articles. Use \"do not\" instead of \"don't\", \"cannot\" instead of \"can't\", etc." +level: warning +reason: >- + This rule triggers when the article body contains a contraction — two words joined + by an apostrophe. Common contractions to flag: don't, can't, won't, you'll, it's + (when meaning "it is"), there's, that's, isn't, aren't, wasn't, weren't, hasn't, + haven't, hadn't, doesn't, didn't, wouldn't, shouldn't, couldn't, I'm, you're, + we're, they're, I've, you've, we've, they've, I'd, you'd, we'd, they'd. + + Note: this is the opposite of the Netwrix docs style guide, which encourages + contractions. KB articles follow the KB style guide. Do not flag apostrophes used + for possessives (e.g., "the system's logs") or inside code blocks. +``` + +- [ ] **Step 2: Create `title-case-headings.yml`** + +```yaml +message: "Use title case for headings in KB articles (Chicago style). Use capitalizemytitle.com to check." +level: warning +reason: >- + This rule triggers when an H2, H3, or H4 heading in the article body does not use + title case. In Chicago-style title case, capitalize all words except: articles + (a, an, the), coordinating conjunctions (and, but, or, nor, for, so, yet), and + prepositions of four letters or fewer (in, on, at, by, for, to, up, as, of, off, + per) — unless they are the first or last word of the heading, or part of a + phrasal verb (e.g., "Set Up", "Log In"). + + Note: this is the opposite of the Netwrix docs style guide, which uses sentence + case. KB articles follow the KB style guide. Do not check the H1 heading — it is + the article title and is governed by the title format rules, not this rule. + + Common mistakes to flag: headings where common nouns mid-title are not capitalized, + or where every word including articles and prepositions is capitalized (all-caps + title case). Apply judgment — if a heading is clearly sentence case (only first + word capitalized), flag it. +``` + +- [ ] **Step 3: Create `business-jargon.yml`** + +```yaml +message: "Avoid business jargon. Use plain language instead (e.g., use \"use\" instead of \"utilize\")." +level: warning +reason: "This rule triggers when the article body contains any of the following business jargon terms: utilize, utilise (use \"use\" instead), leverage used as a verb in a non-financial context (e.g., \"leverage this feature\" — flag it; \"financial leverage\" — do not flag), synergy, synergize. Do not flag these inside code blocks or quoted error messages." +``` + +- [ ] **Step 4: Create `descriptive-links.yml`** + +```yaml +message: "Use descriptive link text. Avoid generic phrases like \"click here\", \"read more\", \"learn more\", \"see more\", or \"this link\"." +level: warning +reason: "This rule triggers when a markdown hyperlink in the article body uses any of the following as its visible link text (the part inside square brackets): \"click here\", \"here\", \"read more\", \"learn more\", \"see more\", \"this link\", \"this article\", \"this page\". These phrases do not describe the link destination and are inaccessible to screen reader users." +``` + +- [ ] **Step 5: Create `undefined-jargon.yml`** + +```yaml +message: "This appears to be a technical term or acronym not defined on first use. Define or spell it out the first time it appears." +level: warning +reason: >- + This rule triggers when the article body contains a technical term or acronym that + appears to be industry-specific or product-specific and is not defined or expanded + on its first use in the article. + + Focus especially on: + - Acronyms in all caps (e.g., FSAA, NOMBA, gMSA, SSRS, NEA) that appear without + being spelled out at first mention + - Netwrix product component abbreviations introduced without context + - Technical shorthand that a customer unfamiliar with the product might not recognize + + This rule requires judgment. Do not flag: + - Common industry acronyms that are universally understood (SQL, API, URL, HTTP) + - Terms that are defined earlier in the same article + - Terms inside code blocks or quoted error messages + + This rule is warning (not error) because it requires the most judgment of all + derek rules and is the most likely to produce false positives. +``` + +- [ ] **Step 6: Verify all 10 prose rules exist** + +```bash +ls "/Users/hilaryramirez/Documents/KB projects/docs/.claude/skills/derek/rules/" +``` + +Expected: 10 prose rule files plus 7 frontmatter files plus 1 structure file = 18 total. + +- [ ] **Step 7: Commit** + +```bash +cd "/Users/hilaryramirez/Documents/KB projects/docs" +git add .claude/skills/derek/rules/contractions.yml \ + .claude/skills/derek/rules/title-case-headings.yml \ + .claude/skills/derek/rules/business-jargon.yml \ + .claude/skills/derek/rules/descriptive-links.yml \ + .claude/skills/derek/rules/undefined-jargon.yml +git commit -m "feat(derek): add prose rules batch 2 (contractions, title case, jargon, links)" +``` + +--- + +## Task 9: Smoke test against a real KB article + +**Files:** none (read-only) + +The test article is: +`docs/kb/auditor/configuration-and-setup/active-directory-auditing/active-directory-compression-service-continuously-starting-and-stopping.md` + +This article was sampled during design and has known violations: `tags: []` (missing `kb`), and body text that may contain passive voice and other issues. + +**Expected violations (minimum — there may be more):** + +| Line | Rule | Reason | +|---|---|---| +| ~17 | `frontmatter-tags-kb` | `tags: []` — does not include `kb` | +| ~34 | `passive-voice` | "These notifications cannot be stopped" (passive construction) | + +- [ ] **Step 1: Run derek against the test article** + +In Claude Code, run: + +``` +/derek docs/kb/auditor/configuration-and-setup/active-directory-auditing/active-directory-compression-service-continuously-starting-and-stopping.md +``` + +- [ ] **Step 2: Verify the output table appears** + +Derek should output a `| Line | Rule | Message | Offending Text |` table. It must not output conversational text or explanations beyond the table. + +- [ ] **Step 3: Verify `frontmatter-tags-kb` fires** + +The output table must include a row for `frontmatter-tags-kb` referencing the empty `tags: []` field. + +- [ ] **Step 4: Verify no false negatives on frontmatter fields that are present** + +The article has `title`, `description`, `sidebar_label`, `products`, and `knowledge_article_id` — none of these should appear as violations in the output. + +- [ ] **Step 5: Run against a second article to confirm consistency** + +``` +/derek docs/kb/accessanalyzer/database-auditing-and-configuration/how-to-drop-data-collected-from-sql-servers-using-the-databases-module.md +``` + +Verify: output table appears, `frontmatter-tags-kb` fires (that article uses a category tag, not `kb`), no crashes or conversational output. + +--- + +## Task 10: Final commit and open PR + +**Files:** none + +- [ ] **Step 1: Verify working tree is clean** + +```bash +cd "/Users/hilaryramirez/Documents/KB projects/docs" +git status +``` + +Expected: `nothing to commit, working tree clean` + +- [ ] **Step 2: Review all commits on the branch** + +```bash +git log dev..HEAD --oneline +``` + +Expected: commits for kb_style_guide.md, scaffold, SKILL.md, frontmatter rules, structure rule, prose rules batches 1 and 2. + +- [ ] **Step 3: Push branch** + +```bash +git push -u origin feature/derek-skill +``` + +- [ ] **Step 4: Open PR** + +```bash +gh pr create \ + --base dev \ + --title "feat(derek): add KB style guide and derek linter skill" \ + --body "$(cat <<'EOF' +## Summary + +- Adds `kb_style_guide.md` at the repo root — the authoritative style reference for KB articles written by TSEs +- Adds `.claude/skills/derek/` — a KB article linter invoked with `/derek ` + +Derek is the KB equivalent of dale. It enforces the KB style guide across 18 rules: 7 frontmatter validation checks, 1 article structure check, and 10 prose rules. + +**Note:** The KB style guide and docs style guide conflict on two rules (contractions and heading case). Derek's SKILL.md includes a warning not to run `/dale` on KB files. + +## Rules added + +**Frontmatter (error level):** title, description, sidebar_label, products, tags (must include `kb`), knowledge_article_id +**Frontmatter (warning level):** keywords count (8–12 items) +**Structure (warning):** article type heading validation (Error/Symptom Resolution and How-To) +**Prose (warning):** passive voice, "please", minimizing difficulty, inline "note that", impersonal constructions, contractions, title case headings, business jargon, generic link text, undefined jargon + +## Test plan + +- [ ] Run `/derek` against an article with a known empty `tags: []` — verify `frontmatter-tags-kb` fires +- [ ] Run `/derek` against a well-formed article — verify no false positives on valid frontmatter +- [ ] Verify output is a table only — no conversational text + +Generated with AI + +Co-Authored-By: Claude Code +EOF +)" +``` + +--- + +## Self-review + +**Spec coverage check:** + +| Spec requirement | Covered by | +|---|---| +| Create `kb_style_guide.md` at repo root | Task 2 | +| Base on wiki KB style guide | Task 2 — full content provided | +| Add docs style guide additions (no please, no simply/just, no note that, no impersonal, active voice, define jargon, descriptive links) | Task 2 (style guide) + Tasks 7–8 (rules) | +| Override: contractions written out | Task 2 (style guide) + Task 8 (`contractions.yml`) | +| Override: title case headings | Task 2 (style guide) + Task 8 (`title-case-headings.yml`) | +| Override: `tags` must include `kb` | Task 2 (style guide) + Task 5 (`frontmatter-tags-kb.yml`) | +| Feature branch off dev | Task 1 | +| `.claude/skills/derek/` mirrors dale structure | Tasks 3–8 | +| 7 frontmatter rules | Task 5 | +| 1 structure rule with type inference | Task 6 | +| 10 prose rules | Tasks 7–8 | +| `undefined-jargon.yml` at warning level | Task 8 — level: warning | +| Note in SKILL.md: do not run `/dale` on KB files | Task 4 | +| `rule-schema.yml` notes both prose and structural assertions are valid | Task 3 | +| Smoke test | Task 9 | +| PR targeting dev | Task 10 | + +No gaps found. diff --git a/.claude/skills/derek/SKILL.md b/.claude/skills/derek/SKILL.md new file mode 100644 index 0000000000..35fe2068a3 --- /dev/null +++ b/.claude/skills/derek/SKILL.md @@ -0,0 +1,136 @@ +--- +name: derek +description: KB article quality reviewer. Run against KB articles in docs/kb/ to review frontmatter, article type and structure, title format, product names, and keyword quality. Use when editing or reviewing any file under docs/kb/. +argument-hint: "[docs/kb/path/to/article.md]" +--- + +# Overview + +You are Derek, a KB article quality reviewer for Netwrix. Your job is to review KB articles against `kb_style_guide.md` and flag issues that Vale and Dale do not catch. + +**What Vale already handles — do not re-flag these:** +- Contractions (`NetwrixKB.Contractions`) +- Heading case (`NetwrixKB.HeadingCase`) +- "Please" in instructions (`NetwrixKB.Please`) +- "Note that" inline (`NetwrixKB.NoteThat`) +- Impersonal constructions (`NetwrixKB.ImpersonalFiller`) +- Generic link text (`NetwrixKB.WeakLinkText`) +- "Utilize" variants (`NetwrixKB.Utilize`) +- First-person plural (`NetwrixKB.FirstPersonPlural`) + +**What Dale already handles — do not re-flag these:** +- Passive voice +- Minimizing difficulty words (simply, just, easily) +- Idioms and colloquialisms +- Wordiness +- Undefined acronyms + +Derek focuses on what's left: frontmatter validity, article type and structure, title format, product name usage, and keyword/description quality. + +# How to Review + +1. Read `kb_style_guide.md` from the repo root. +2. Read the article at `$1`. Always read the file directly from disk — do not use any version of this file that may be in context from earlier in the session. +3. Identify the article type (see below). +4. Work through each review area. +5. Output the assessment line and table. + +# Article Type Identification + +Determine the article type from the title: + +- Title starts with `Error:` → **Resolution (Error)** +- Title starts with a gerund (verb ending in -ing, e.g., "Configuring...", "Modifying...") → **How-To (Instructions)** +- Title is a question or starts with "How to" → **How-To (Q&A)** +- Everything else → **Resolution (Symptom)** + +# Review Areas + +## 1. Frontmatter + +Check that all required fields are present and valid: + +| Field | What to check | +|---|---| +| `title` | Present; quoted if it contains colons or special characters | +| `description` | Present, non-empty, 1–2 sentences | +| `sidebar_label` | Present, non-empty | +| `keywords` | Present, contains 8–12 items | +| `products` | Present, contains at least one product ID | +| `tags` | Present and includes `kb` | +| `knowledge_article_id` | If present, must not be empty — a non-empty value must start with `kA` followed by alphanumeric characters. If absent, do not flag. | + +Flag each missing or invalid field as a separate row in the output table. + +## 2. Article Structure + +Check that the required H2 headings are present for the identified article type: + +| Type | Required headings | +|---|---| +| Resolution (Error or Symptom) | `## Symptom` or `## Symptoms`, `## Cause` or `## Causes`, `## Resolution` or `## Resolutions` | +| How-To (Instructions) | `## Overview`, `## Instructions` | +| How-To (Q&A) | `## Question`, `## Answer` | + +When a required heading is missing, include the full expected heading template in the Message column so the writer can copy it in. + +## 3. Title Format + +Check that the title matches the expected format for the article type: + +- **Resolution (Error):** starts with `Error:` followed by the unique error code or message +- **How-To:** starts with a gerund — not "How to", no question mark +- **Resolution (Symptom):** `[Feature or Component] [Symptom] [Optional: Context]` — descriptive, not vague (e.g., "AD not working" is too vague) + +Also check: title must not contain a product name — product names belong in the `products` frontmatter field. + +## 4. Product Names + +Check that Netwrix product names follow the correct pattern from `kb_style_guide.md`: + +- First mention in body text: full product name (e.g., "Netwrix Auditor") +- All subsequent mentions: short product name (e.g., "Auditor") +- No unapproved abbreviations (e.g., "NA" for Netwrix Auditor) + +## 5. Admonition Format + +KB articles use blockquote callouts, not Docusaurus admonition syntax. Flag any `:::note`, `:::tip`, `:::warning`, or `:::danger` blocks and tell the writer to convert them: + +- `> **NOTE:**` — for supplementary information +- `> **IMPORTANT:**` — for critical information that could cause issues if ignored + +## 6. Keywords and Description Quality + +**Keywords:** The 8–12 keywords should be specific and searchable — error codes, product names, technical terms, and phrases a customer would type into a search bar. Flag if keywords are too generic, simply repeat the title, or are missing obvious terms visible in the article body. + +**Description:** Should be 1–2 sentences, SEO-friendly, and accurately summarize what the article covers and what it helps the reader do. Flag if empty, too vague, or a verbatim copy of the title. + +# Output + +**Output format is strictly required. Do not use a vertical list, prose paragraphs, or any other format. Always use the table below.** + +Print the assessment line first: + +> **Article type:** [How-To (Instructions) | How-To (Q&A) | Resolution (Error) | Resolution (Symptom) | Unknown] — **[N] issue(s) found.** + +Then print the markdown table. Every issue must be a row in this table — no exceptions: + +| Line | Rule | Message | Offending Text | +|------|------|---------|----------------| +| 1 | `frontmatter-tags-kb` | The `tags` field must be present and must include `kb`. | `tags: []` | + +If no issues are found, print the assessment line followed by "Derek found no issues." Do not print an empty table. + +**Consolidating structure violations:** When multiple required headings are missing for the same article type, use a single `structure-article-type` row. List all missing headings in the Message column. If fixing the title would change the article type and resolve the structure issue automatically, note that in the Message. + +**Line number guidance:** +- Frontmatter field missing entirely: use line `1` +- Frontmatter field present but invalid: use the line number of that field +- Missing required heading: use line `1`; include the expected heading template in Message +- Title format violation: use the line number of the H1 heading +- Product name violation: use the line number of the offending text +- Keywords or description quality issue: use the line number of the field in frontmatter + +# Troubleshooting + +Never re-flag issues that Vale or Dale already catch. Never respond with anything beyond the assessment line and output table. diff --git a/.claude/specs/2026-04-07-derek-design.md b/.claude/specs/2026-04-07-derek-design.md new file mode 100644 index 0000000000..fdd4ee340e --- /dev/null +++ b/.claude/specs/2026-04-07-derek-design.md @@ -0,0 +1,206 @@ +# Derek Skill — Design Spec + +**Date:** 2026-04-07 +**Status:** Approved + +--- + +## Summary + +Derek is a Claude skill that lints KB articles against the Netwrix KB style guide. It is the KB equivalent of dale — pure input/output, no conversation. Invoked with `/derek `. + +Two deliverables: +1. `kb_style_guide.md` — new file at repo root, authoritative style reference for KB articles +2. `.claude/skills/derek/` — the skill itself + +--- + +## Context + +- KB articles live in `docs/kb//` +- They are written by TSEs (technical support engineers), not the docs team +- They follow a different style guide than regular product docs +- The `feature/frontmatter-autoinjection` script explicitly skips KB files (`docs/kb/*`) because their frontmatter schema is more complex — derek handles it instead +- Dale enforces the docs style guide (`netwrix_style_guide.md`). Derek enforces the KB style guide (`kb_style_guide.md`). **The two guides conflict on contractions and heading case — do not run `/dale` on KB files.** + +--- + +## Deliverable 1: `kb_style_guide.md` + +Created at the repo root alongside `netwrix_style_guide.md`. + +**Source:** Internal wiki KB style guide (`knowledge-style-guide-markdown.md`), with the following additions and overrides. + +### Additions (from docs style guide — apply universally) + +- No "please" in instructions — be direct +- No "simply", "just", "easily", "basically", "obviously" +- No inline "note that" / "please note" — use admonition blocks +- No impersonal constructions: "it is recommended / necessary / possible / required / advised / suggested" +- Active voice — with examples +- Define technical terms and acronyms on first use +- Descriptive link text — never "click here", "read more", "learn more", "see more" + +### Overrides (wiki rule takes precedence over docs style guide) + +| Topic | KB rule | +|---|---| +| Contractions | Write out in full: "do not", "cannot", "you will" | +| Heading case | Title case (Chicago style, capitalizemytitle.com) | + +### Tags field — required, must include `kb` + +The wiki marks `tags` as optional. **This is overridden for the Netwrix repo:** `tags` must be present and must include `kb`. This enables KB article filtering in Algolia search — Algolia indexes the `tags` field automatically, no Algolia config changes required. + +### Frontmatter schema + +All KB articles must have this frontmatter: + +```yaml +--- +description: >- + Short, SEO-friendly summary of the article (1–2 sentences). +keywords: + - keyword one + - keyword two + - (8–12 items total) +products: + - product-id +sidebar_label: 'Article Title' +tags: + - kb +title: "Full Article Title" +knowledge_article_id: kA0Qk000000XXXXKAA +--- +``` + +**Required fields:** + +| Field | Format | +|---|---| +| `title` | Quoted string — full article title | +| `description` | Non-empty string or `>-` multiline block | +| `sidebar_label` | Quoted string — matches or shortens the title | +| `keywords` | YAML list of 8–12 technical/product search terms | +| `products` | YAML list of product IDs (see product names table) | +| `tags` | YAML list; **must include `kb`** | +| `knowledge_article_id` | Salesforce KB article ID matching `kA[0-9A-Za-z]+` | + +--- + +## Deliverable 2: `.claude/skills/derek/` + +### Architecture + +Mirrors dale exactly: `SKILL.md` + `rules/*.yml` + `references/rule-schema.yml`. Option A chosen over Option B (split `rules/` and `checks/`) because the output and invocation are identical, and the added complexity of two processing loops in SKILL.md provides no user-facing benefit. The `reason` field in rule files describes what to look for — equally valid for prose patterns and structural assertions. + +### File layout + +``` +.claude/skills/derek/ + SKILL.md + rules/ + frontmatter-title.yml + frontmatter-description.yml + frontmatter-sidebar-label.yml + frontmatter-keywords-count.yml + frontmatter-products.yml + frontmatter-tags-kb.yml + frontmatter-knowledge-article-id.yml + structure-article-type.yml + no-please.yml + minimizing-difficulty.yml + no-note-that.yml + impersonal-constructions.yml + passive-voice.yml + undefined-jargon.yml + descriptive-links.yml + contractions.yml + title-case-headings.yml + business-jargon.yml + references/ + rule-schema.yml +``` + +18 rules total: 7 frontmatter, 1 structure, 10 prose. + +### SKILL.md behavior + +- Pure linter — no conversation, no explanation beyond the output table +- Creates a Todo for each rule file +- For each rule: reads `reason`, checks the document, notes violations +- Outputs a single table at the end (or "no issues found") +- Includes a warning: **do not run `/dale` on KB files** — the KB style guide and docs style guide conflict on contractions and heading case + +### Output format (same as dale) + +``` +| Line | Rule | Message | Offending Text | +|------|------|---------|----------------| +``` + +- Frontmatter violations where a field is missing: Line is `1` (frontmatter block start) +- Structure violations: Line is the line number of the first mismatched or missing heading +- Structure violations where sections are entirely missing: message includes the expected heading template the writer can copy in + +--- + +## Rules detail + +### Frontmatter rules + +| File | Level | Checks | +|---|---|---| +| `frontmatter-title.yml` | error | `title` present and is a quoted string | +| `frontmatter-description.yml` | error | `description` present and non-empty | +| `frontmatter-sidebar-label.yml` | error | `sidebar_label` present and non-empty | +| `frontmatter-keywords-count.yml` | warning | `keywords` present and contains 8–12 items | +| `frontmatter-products.yml` | error | `products` present with at least one item | +| `frontmatter-tags-kb.yml` | error | `tags` present and includes `kb` | +| `frontmatter-knowledge-article-id.yml` | error | `knowledge_article_id` present and matches `kA[0-9A-Za-z]+` | + +### Structure rule + +| File | Level | Checks | +|---|---|---| +| `structure-article-type.yml` | warning | Infers article type from title, validates required H2 headings are present | + +**Type inference logic:** +- Title starts with `"Error:"` → Error Resolution → expects `## Symptom/Symptoms`, `## Cause/Causes`, `## Resolution/Resolutions` +- Title starts with a gerund or `"How to"` → How-To → expects `## Overview` + `## Instructions`, or `## Question` + `## Answer` +- Everything else → Symptom Resolution → expects `## Symptom/Symptoms`, `## Cause/Causes`, `## Resolution/Resolutions` + +When required headings are missing, the violation message outputs the expected heading template for the inferred type. + +### Prose rules + +| File | Level | Checks | +|---|---|---| +| `passive-voice.yml` | warning | Passive voice constructions in body text | +| `no-please.yml` | warning | "please" in instructions | +| `minimizing-difficulty.yml` | warning | "simply", "just", "easily", "basically", "obviously" | +| `no-note-that.yml` | warning | Inline "note that" or "please note" | +| `impersonal-constructions.yml` | warning | "it is recommended/necessary/possible/required/advised/suggested" | +| `contractions.yml` | warning | Contractions (don't, can't, you'll, etc.) — write out in full in KB articles | +| `title-case-headings.yml` | warning | Headings not in title case (Chicago style) | +| `business-jargon.yml` | warning | "utilize/utilise", "leverage" (non-financial), "synergy" | +| `descriptive-links.yml` | warning | Generic link text: "click here", "read more", "learn more", "see more", "this link" | +| `undefined-jargon.yml` | warning | Technical terms or acronyms used without definition on first use | + +`undefined-jargon.yml` is `warning` (not `error`) because it requires the most judgment and is the most likely source of false positives. + +--- + +## Branch + +New feature branch off `dev`: `feature/derek-skill` + +--- + +## Notes on existing articles + +Article scan (15 articles across 6+ products) found: +- **Tags**: All articles have either `tags: []` or category-based tags — no article has `kb` in tags. `frontmatter-tags-kb` will fire on every existing article. +- **Keyword count**: Range 3–9 across sampled articles, below the 8–12 requirement. `frontmatter-keywords-count` will fire frequently. +- **Missing sidebar_label**: One article found without it. +- These are expected and reflect the remediation work derek is meant to surface. diff --git a/.vale.ini b/.vale.ini index f1f6eb9254..7ba971d191 100644 --- a/.vale.ini +++ b/.vale.ini @@ -5,4 +5,4 @@ MinAlertLevel = suggestion BasedOnStyles = Netwrix [docs/kb/**/*.md] -BasedOnStyles = +BasedOnStyles = NetwrixKB diff --git a/.vale/styles/NetwrixKB/Contractions.yml b/.vale/styles/NetwrixKB/Contractions.yml new file mode 100644 index 0000000000..b14cbdad6d --- /dev/null +++ b/.vale/styles/NetwrixKB/Contractions.yml @@ -0,0 +1,32 @@ +extends: existence +message: "Write '%s' out in full for KB articles (e.g., 'do not', 'cannot', 'you will')." +level: warning +ignorecase: true +tokens: + - "don't" + - "doesn't" + - "didn't" + - "can't" + - "wouldn't" + - "shouldn't" + - "couldn't" + - "isn't" + - "aren't" + - "wasn't" + - "weren't" + - "hasn't" + - "haven't" + - "hadn't" + - "you'll" + - "it's" + - "there's" + - "that's" + - "won't" + - "we're" + - "they're" + - "you're" + - "he's" + - "she's" + - "we've" + - "they've" + - "you've" diff --git a/.vale/styles/NetwrixKB/FirstPersonPlural.yml b/.vale/styles/NetwrixKB/FirstPersonPlural.yml new file mode 100644 index 0000000000..475707f49e --- /dev/null +++ b/.vale/styles/NetwrixKB/FirstPersonPlural.yml @@ -0,0 +1,10 @@ +extends: existence +message: "Avoid first person plural '%s'. Rewrite without 'we', 'our', 'us', or 'ours'." +level: warning +ignorecase: true +nonword: true +tokens: + - '\bwe\b' + - '\bour\b' + - '\bours\b' + - '\bus\b' diff --git a/.vale/styles/NetwrixKB/HeadingCase.yml b/.vale/styles/NetwrixKB/HeadingCase.yml new file mode 100644 index 0000000000..edf715228a --- /dev/null +++ b/.vale/styles/NetwrixKB/HeadingCase.yml @@ -0,0 +1,6 @@ +extends: capitalization +message: "Use title case for KB article headings." +level: warning +match: $title +style: Chicago +scope: heading diff --git a/.vale/styles/NetwrixKB/ImpersonalFiller.yml b/.vale/styles/NetwrixKB/ImpersonalFiller.yml new file mode 100644 index 0000000000..eafba7ad9a --- /dev/null +++ b/.vale/styles/NetwrixKB/ImpersonalFiller.yml @@ -0,0 +1,18 @@ +extends: existence +message: "Remove '%s' and state the point directly." +level: warning +ignorecase: true +nonword: true +tokens: + - '\bit should be noted that\b' + - '\bit is important to note that\b' + - '\bit is important to ensure that\b' + - '\bit is important to\b' + - '\bit is recommended that\b' + - '\bit is necessary to\b' + - '\bit is possible to\b' + - '\bit is worth noting that\b' + - '\bit must be noted that\b' + - '\bas mentioned previously\b' + - '\bas previously mentioned\b' + - '\bneedless to say\b' diff --git a/.vale/styles/NetwrixKB/NoteThat.yml b/.vale/styles/NetwrixKB/NoteThat.yml new file mode 100644 index 0000000000..9c4a5b55bb --- /dev/null +++ b/.vale/styles/NetwrixKB/NoteThat.yml @@ -0,0 +1,7 @@ +extends: existence +message: "Avoid '%s'. Use a blockquote callout instead: '> **NOTE:** ...' or '> **IMPORTANT:** ...'" +level: warning +ignorecase: true +tokens: + - '\bnote that\b' + - '\bplease note\b' diff --git a/.vale/styles/NetwrixKB/Please.yml b/.vale/styles/NetwrixKB/Please.yml new file mode 100644 index 0000000000..b9b3da3601 --- /dev/null +++ b/.vale/styles/NetwrixKB/Please.yml @@ -0,0 +1,7 @@ +extends: existence +message: "Avoid 'please' in instructions. Be direct." +level: warning +ignorecase: true +nonword: true +tokens: + - '\bplease(?!\s+note)\b' diff --git a/.vale/styles/NetwrixKB/Utilize.yml b/.vale/styles/NetwrixKB/Utilize.yml new file mode 100644 index 0000000000..e50ee9715e --- /dev/null +++ b/.vale/styles/NetwrixKB/Utilize.yml @@ -0,0 +1,13 @@ +extends: substitution +message: "Use '%s' — avoid 'utilize' and its variants." +level: warning +ignorecase: true +swap: + '\butilizes\b': 'uses' + '\butilized\b': 'used' + '\butilizing\b': 'using' + '\butilize\b': 'use' + '\butilises\b': 'uses' + '\butilised\b': 'used' + '\butilising\b': 'using' + '\butilise\b': 'use' diff --git a/.vale/styles/NetwrixKB/WeakLinkText.yml b/.vale/styles/NetwrixKB/WeakLinkText.yml new file mode 100644 index 0000000000..517ad881e7 --- /dev/null +++ b/.vale/styles/NetwrixKB/WeakLinkText.yml @@ -0,0 +1,10 @@ +extends: existence +message: "Avoid generic link text '%s'. Write descriptive link text that describes the destination or action." +level: warning +ignorecase: true +tokens: + - '\bclick here\b' + - '\bthis link\b' + - '\blearn more\b' + - '\bsee more\b' + - '\bread more\b' diff --git a/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/netappcmode/activity/configurefpolicy.md b/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/netappcmode/activity/configurefpolicy.md index 4b9516741d..0e1fea0f40 100644 --- a/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/netappcmode/activity/configurefpolicy.md +++ b/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/netappcmode/activity/configurefpolicy.md @@ -20,8 +20,8 @@ There are two ways to configure FPolicy: mode allows you to fine tune FPolicy by excluding certain volumes or shares from being monitored. It also reduces product permissions. -Regardless of the chosen approach for FPolicy configuration, one also needs to perform extra steps -if the FPolicy communication has to be secured with TLS. +Regardless of the FPolicy configuration approach, perform extra steps if you need to secure FPolicy +communication with TLS. ## TLS Authentication Options @@ -29,34 +29,32 @@ There are two TLS FPolicy Authentication options that can be used: - TLS, server authentication – Server only authentication - - A certificate (Server Certificate) for the Agent server needs to be generated and copied to a - PEM file. The Server Certificate PEM file needs to be saved locally on the Activity Monitor - Console server. - - For manual FPolicy configuration, the Server Certificate needs to be installed on the SVM, and - then server-authentication set. + - Generate a Server Certificate for the Agent server and copy it to a PEM file. Save the Server + Certificate PEM file locally on the Activity Monitor Console server. + - For manual FPolicy configuration, install the Server Certificate on the SVM and then set + server-authentication. - For automatic FPolicy configuration, the Activity Monitor manages installation of the Server Certificate. - TLS, mutual authentication – Mutual authentication - - A certificate (Server Certificate) for the Agent server needs to be generated and copied to a - PEM file. The Server Certificate PEM file needs to be saved locally on the Activity Monitor + - Generate a Server Certificate for the Agent server and copy it to a PEM file. Save the Server + Certificate PEM file locally on the Activity Monitor Console server. + - Copy the SVM's Client Certificate to a PEM file and save it locally on the Activity Monitor Console server. - - A certificate (Client Certificate) for the SVM needs to be copied to a PEM file and saved - locally on the Activity Monitor Console server. - - For manual FPolicy configuration, the Server Certificate needs to be installed on the SVM and - then mutual-authentication set. - - For automatic FPolicy configuration, mutual-authentication set before the configuration + - For manual FPolicy configuration, install the Server Certificate on the SVM and then set + mutual-authentication. + - For automatic FPolicy configuration, set mutual-authentication before the configuration process. The Activity Monitor manages installation of both certificates. ### Generate Server Certificate -A certificate (Server Certificate) for the Agent server needs to be generated and copied to a PEM -file. This is required for both of the TLS authentication options. +Generate a Server Certificate for the Agent server and copy it to a PEM file. Both TLS +authentication options require this certificate. The PEM file must contain both Public Key and Private Key parts. A certificate may be self-signed or -issued by a certification authority. Below are the steps for generation of a self-signed certificate -using OpenSSL toolkit. +issued by a certification authority. The following steps generate a self-signed certificate using +the OpenSSL toolkit. Use the following command on the agent server to create the Server Certificate and copy it to a .pem file: @@ -108,7 +106,7 @@ during Part 6 of manual configuration and prior to automatic configuration: **Step 3 –** Copy the value of Public Key Certificate field to a PEM file. The value spans multiple lines, starts with "`----BEGIN CERTIFICATE-----`" and ends with "`-----END CERTIFICATE-----`". -The Client Certificate PEM file has been created. +The Client Certificate PEM file is ready. ## Persistent Store @@ -158,9 +156,8 @@ This command is available to cluster administrators at the admin privilege level ::: -It is recommended to allow the volume to be created automatically. In this case, the FPolicy -subsystem manages the volume, maintains the directory structure, and protects it from accidental -deletion by marking it as not mountable. +Allow the FPolicy subsystem to create the volume automatically. It manages the volume, maintains +the directory structure, and protects it from accidental deletion by marking it as not mountable. If you choose to create the volume manually, ensure the following: @@ -172,8 +169,8 @@ NetApp documentation. ## Manually Configure FPolicy -This section describes how to manually configure FPolicy. Manual configuration of the FPolicy is -recommended if the policy needs to be scoped to monitor select volumes or shares. It is necessary to +This section describes how to manually configure FPolicy. Use manual configuration when you need to +scope the policy to monitor specific volumes or shares. It is necessary to create several FPolicy components and then enable the FPolicy. See the sections corresponding to each part of this list: @@ -223,8 +220,7 @@ each part of this list: ### Part 1: Install Server Certificate on the SVM -If using the TLS authentication options, it is necessary to install the Server Certificate on the -SVM. +If using the TLS authentication options, install the Server Certificate on the SVM. Use the following command to install the Server Certificate: @@ -324,8 +320,7 @@ Maximum Notification Retention Duration: 3m                  External Engine Format: xml ``` -Relevant NetApp Documentation: To learn more about creating an external engine, please visit the -NetApp website and read the +For more information about creating an external engine, see the [vserver fpolicy policy external-engine create](https://docs.netapp.com/us-en/ontap-cli-9141/vserver-fpolicy-policy-external-engine-create.html) article. @@ -355,9 +350,8 @@ IMPORTANT: - `monitor-fileop-failure` – `true `or `false`, indicates whether failed file operations are reported. -- Limiting the file operations to be monitored is an excellent way to limit the performance impact - the FPolicy will have on the NetApp device. The file operations from which to choose are below - with additional filter options: +- Limiting monitored file operations reduces the performance impact on the NetApp device. The + following file operations are available, with filter options: - `create` – File create operations - `create_dir` – Directory create operations @@ -503,8 +497,7 @@ Ontap915::> fpolicy policy event show -vserver svm0 -event-name StealthAUDITScre Send Failed File Operation Notifications: false ``` -Relevant NetApp Documentation: To learn more about creating an event, please visit the NetApp -website and read the +For more information about creating an event, see the [vserver fpolicy policy event create](https://docs.netapp.com/us-en/ontap-cli-9141/vserver-fpolicy-policy-event-create.html) article. @@ -580,9 +573,9 @@ StealthAUDITPersistentStore -instance Size of the Persistent Store: 5GB Autosize Mode for the Volume: grow_shrink -Visit the NetApp website and see the +For more information about creating a Persistent Store, see the [vserver fpolicy persistent store create](https://docs.netapp.com/us-en/ontap-cli/vserver-fpolicy-persistent-store-create.html) -article for additional information about creating a Persistent Store. +article. ### Part 5: Create FPolicy Policy @@ -685,16 +678,15 @@ User Name for Privileged Access: -           Persistent Store Name: - ``` -Relevant NetApp Documentation: To learn more about creating a policy, please visit the NetApp -website and read the +For more information about creating a policy, see the [vserver fpolicy policy create](https://docs.netapp.com/us-en/ontap-cli/vserver-fpolicy-policy-create.html) article. ### Part 6: Create FPolicy Scope -The FPolicy scope creates the filters necessary to perform scans on specific shares or volumes. It -is possible to set the scope to monitor all volumes or all shares by replacing the volume/share name -variable [SVM_NAME] in the command with an asterisk (\*). +The FPolicy scope creates the filters necessary to perform scans on specific shares or volumes. To +monitor all volumes or all shares, replace the volume/share name variable [SVM_NAME] in the command +with an asterisk (\*). IMPORTANT: @@ -749,15 +741,13 @@ File Extensions to Include: - File Extensions to Exclude: - ``` -Relevant NetApp Documentation: To learn more about creating scope, please visit the NetApp website -and read the +For more information about creating scope, see the [vserver fpolicy policy scope create](https://docs.netapp.com/us-en/ontap-cli-9141/vserver-fpolicy-policy-scope-create.html) article. ### Part 7: Set TLS Authentication -If using the TLS authentication options, it is necessary to set authentication for the type of -authentication. +If using the TLS authentication options, set the appropriate authentication type. #### Set Server-Authentication @@ -797,7 +787,7 @@ vserver fpolicy policy external-engine show -fields ssl-option ### Part 8: Enable the FPolicy -The FPolicy must be enabled before the Activity Monitor Agent can be configured to monitor the SVM. +Enable the FPolicy before configuring the Activity Monitor Agent to monitor the SVM. IMPORTANT: @@ -836,8 +826,7 @@ svm0          StealthAUDIT                  10  on                                                          DITEngine ``` -Relevant NetApp Documentation: To learn more about enabling a policy, please visit the NetApp -website and read the +For more information about enabling a policy, see the [vserver fpolicy enable](https://docs.netapp.com/us-en/ontap-cli-9121//vserver-fpolicy-enable.html) article. @@ -891,13 +880,13 @@ in the monitored host properties. The volume will be automatically created if it exist. See the [Persistent Store](#persistent-store) topic for additional information on the recommended volume size. -If using the TLS, mutual authentication option, you will need to create the PEM file for the Client -Certification, which is needed during the monitored host configuration in the Activity Monitor. It -will also be necessary to set mutual authentication on the SVM. +If using the TLS, mutual authentication option, create the PEM file for the Client Certificate, +which you need during the monitored host configuration in the Activity Monitor. You must also set +mutual authentication on the SVM. ### Set TLS Mutual-Authentication -If using the TLS, mutual authentication options, it is necessary to set authentication. +If using the TLS, mutual authentication options, set authentication as follows. Use the following command to set mutual-authentication: diff --git a/docs/auditor/10.8/requirements/supporteddatasources/supporteddatasources.md b/docs/auditor/10.8/requirements/supporteddatasources/supporteddatasources.md index 107f996bb4..467b5c4f4d 100644 --- a/docs/auditor/10.8/requirements/supporteddatasources/supporteddatasources.md +++ b/docs/auditor/10.8/requirements/supporteddatasources/supporteddatasources.md @@ -6,7 +6,7 @@ sidebar_position: 10 # Supported Data Sources -This section lists platforms and systems that can be monitored with Netwrix Auditor. +This section lists platforms and systems that Netwrix Auditor can monitor. ## Active Directory @@ -37,7 +37,7 @@ information. Auditor supports monitoring Azure Files with the following requirements: -- Azure Storage Account with File Shares (SMB protocol) +- Azure Storage Account with File Shares (Server Message Block (SMB) protocol) - identity sources: - Active Directory Domain Services (AD DS) - Microsoft Entra Kerberos @@ -72,7 +72,7 @@ versions: - Dell VNX/VNXe/Celerra families - Dell PowerStore family -> **NOTE:** Only CIFS configuration is supported. +> **NOTE:** Netwrix Auditor supports only Common Internet File System (CIFS) configuration. See the [Dell Data Storage](/docs/auditor/10.8/configuration/fileservers/delldatastorage/overview.md) topic for additional information. @@ -83,10 +83,9 @@ Auditor supports monitoring the following device versions: - Dell Isilon/PowerScale versions 7.2 – 9.12 -> **NOTE:** Only CIFS configuration is supported. +> **NOTE:** Netwrix Auditor supports only CIFS configuration. -> **IMPORTANT:** Auditing of _System_ zone is not supported. As stated by Dell, this zone should be reserved for -configuration access only. Current data should be stored in other access zones. See the +> **IMPORTANT:** Netwrix Auditor does not support auditing of the _System_ zone. Dell designates this zone for configuration access only. Store current data in other access zones. See the [Dell Isilon/PowerScale](/docs/auditor/10.8/configuration/fileservers/dellisilon/overview.md) topic for additional information. @@ -99,7 +98,7 @@ Auditor supports monitoring the following device versions: - 9.0 – 9.17 - 8.3 -> **NOTE:** Only CIFS configuration is supported. +> **NOTE:** Netwrix Auditor supports only CIFS configuration. See the [NetApp Data ONTAP](/docs/auditor/10.8/configuration/fileservers/netappcmode/overview.md) topic for additional information. @@ -125,7 +124,7 @@ See the [Qumulo](/docs/auditor/10.8/configuration/fileservers/qumulo/overview.md Auditor supports monitoring the following device versions: -- DSM 7.2.1 +- DiskStation Manager (DSM) 7.2.1 - DSM 7.1 - DSM 7.0 - DSM 6.2.3 @@ -188,7 +187,7 @@ Auditor supports monitoring the following versions: - Exchange Online version provided within Microsoft Office 365 - Microsoft GCC (government community cloud) and GCC High -> **NOTE:** DoD tenant types are not supported. +> **NOTE:** Netwrix Auditor does not support Department of Defense (DoD) tenant types. See the [Exchange Online](/docs/auditor/10.8/configuration/microsoft365/exchangeonline/overview.md) topic for additional information. @@ -200,7 +199,7 @@ Auditor supports monitoring the following versions: - Microsoft Entra ID version provided within Microsoft Office 365 - Microsoft GCC (government community cloud) and GCC High -> **NOTE:** DoD tenant types are not supported. +> **NOTE:** Netwrix Auditor does not support DoD tenant types. See the [Microsoft Entra ID (formerly Azure AD)](/docs/auditor/10.8/configuration/microsoft365/microsoftentraid/overview.md) @@ -213,7 +212,7 @@ Auditor supports monitoring the following versions: - Microsoft Entra ID version provided within Microsoft Office 365 - Microsoft GCC (government community cloud) and GCC High -> **NOTE:** DoD tenant types are not supported. +> **NOTE:** Netwrix Auditor does not support DoD tenant types. See the [MS Teams](/docs/auditor/10.8/configuration/microsoft365/teams/overview.md) topic for additional information. @@ -225,7 +224,7 @@ Auditor supports monitoring the following versions: - SharePoint Online version provided within Microsoft Office 365 - Microsoft GCC (government community cloud) and GCC High -> **NOTE:** DoD tenant types are not supported. +> **NOTE:** Netwrix Auditor does not support DoD tenant types. See the [SharePoint Online](/docs/auditor/10.8/configuration/microsoft365/sharepointonline/overview.md) topic for additional information. @@ -364,7 +363,7 @@ Auditor supports monitoring the following versions: - Microsoft SQL Server 2014 - Microsoft SQL Server 2012 -> **NOTE:** Linux-based versions are not supported. +> **NOTE:** Netwrix Auditor does not support Linux-based versions. See the [SQL Server](/docs/auditor/10.8/configuration/sqlserver/overview.md) topic for additional information. @@ -387,12 +386,10 @@ Auditor supports monitoring the following versions: User Activity data source can support around 300 targets with one user session per target without scalability issues: -- Depending on how dense is the actual user activity, the number can be more for servers but less - for workstations. +- Depending on user activity density, the number may be higher for servers and lower for workstations. - 50-100 concurrent sessions per terminal server. -Netwrix recommends using the User Activity auditing only for those infrastructure areas that require -more attention due to their sensitivity or criticality. Applicable usage scenarios include, for +Netwrix recommends User Activity auditing only for sensitive or critical infrastructure areas. Applicable usage scenarios include, for example: - Terminal servers where users can log in from external locations @@ -440,9 +437,9 @@ Auditor supports monitoring the following operating system versions: - Windows Server 2012 R2 - Windows Server 2012 -> **NOTE:** DNS support is limited on Windows Server 2008 to Windows Server 2008 SP2 (32 and 64-bit). +> **NOTE:** DNS support on Windows Server 2008 is limited to Windows Server 2008 SP2 (32 and 64-bit). -> **NOTE:** DHCP is not supported on Windows Server 2008. +> **NOTE:** Netwrix Auditor does not support DHCP on Windows Server 2008. Internet Information Services (IIS) @@ -460,7 +457,6 @@ leveraging its API. Download free add-ons from [Netwrix Auditor Add-on Store](https://www.netwrix.com/netwrix_addons.html) to enrich your audit trails with activity from the following systems and applications. -Also, there are even add-ons that can export data collected by Auditor to other systems (e.g., -ArcSight and ServiceNow). +Add-ons are also available to export data collected by Auditor to other systems (e.g., ArcSight and ServiceNow). See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information. diff --git a/docs/changetracker/8.1/admin/devicediscoveryregistration/devicediscoveryregistration.md b/docs/changetracker/8.1/admin/devicediscoveryregistration/devicediscoveryregistration.md index 3bb89e2d3d..2434f80b4e 100644 --- a/docs/changetracker/8.1/admin/devicediscoveryregistration/devicediscoveryregistration.md +++ b/docs/changetracker/8.1/admin/devicediscoveryregistration/devicediscoveryregistration.md @@ -2,7 +2,7 @@ ## Overview -This document describes how devices are discovered and registered within the system. The process consists of two main phases: +This document describes how the system discovers and registers devices. The process consists of two main phases: 1. **Device Discovery** - Identifying device characteristics and operating system details 2. **Device Registration** - Placing devices into appropriate groups based on their characteristics @@ -153,22 +153,22 @@ Device registration is the process of placing newly discovered devices into appr When a device is first discovered or re-registered, it follows this sequence: -1. **Initial Placement**: Device is placed in both the "New Devices" and "Awaiting Registration" groups - - The "New Devices" group serves as a safety net - if the registration process fails for any reason, the device can still be found here +1. **Initial Placement**: The system places the device in both the "New Devices" and "Awaiting Registration" groups + - The "New Devices" group provides a fallback — if the registration process fails for any reason, the device can still be found here - This ensures devices are never "lost" during the registration process -2. **Registration Report Execution**: A registration report is run to collect device characteristics +2. **Registration Report Execution**: The system runs a registration report to collect device characteristics - The report gathers information such as operating system type, version, and other attributes - - This data is used to determine appropriate group placement + - This data determines appropriate group placement -3. **Group Assignment**: Based on the report results and custom scripts, the device is assigned to groups +3. **Group Assignment**: Based on the report results and custom scripts, the system assigns the device to groups - Custom registration scripts can examine the collected data and apply business logic - If no custom script exists, default OS-based group assignment is used -4. **Final Placement**: Device is moved from "Awaiting Registration" to its target groups - - If appropriate groups are found, the device is removed from "New Devices" and added to target groups +4. **Final Placement**: The system moves the device from "Awaiting Registration" to its target groups + - If appropriate groups are found, the system removes the device from "New Devices" and adds it to target groups - If no appropriate groups are found or registration fails, the device **remains in "New Devices"** for manual review - - Device is always added to the "All Devices" group regardless of other group assignments + - The system always adds the device to the "All Devices" group regardless of other group assignments ### Default Group Assignment @@ -219,7 +219,7 @@ The system follows this sequence when assigning groups: 2. **Remove from Awaiting Registration**: Device is removed from the "Awaiting Registration" group -3. **Evaluate Custom Script**: If a custom registration script exists, it is executed with the device characteristics +3. **Evaluate Custom Script**: If a custom registration script exists, the system executes it with the device characteristics 4. **Determine Target Groups**: Groups are identified based on: - Custom script results (if script exists) @@ -229,9 +229,9 @@ The system follows this sequence when assigning groups: - If any group doesn't exist, the entire registration is aborted - Device remains in "New Devices" for manual intervention -6. **Remove from Previous OS Groups**: If `EnableAutoReregisterAgentAfterOsChange` is enabled, device is removed from previous OS-specific groups (during re-registration scenarios) +6. **Remove from Previous OS Groups**: If `EnableAutoReregisterAgentAfterOsChange` is enabled, the system removes the device from previous OS-specific groups (during re-registration scenarios) -7. **Add to Target Groups**: Device is added to all identified groups (if validation passed) +7. **Add to Target Groups**: The system adds the device to all identified groups (if validation passed) 8. **Add to All Devices**: Device is always added to the "All Devices" group @@ -252,7 +252,7 @@ If the registration process encounters issues, the device remains in the "New De - **Validation Failures**: Any validation failure during the registration process results in the device staying in "New Devices" -This safety-net approach ensures that devices requiring manual intervention can always be found in the "New Devices" group, preventing devices from being "lost" in the system. +This fallback approach ensures that devices requiring manual intervention can always be found in the "New Devices" group, preventing devices from being "lost" in the system. --- @@ -277,7 +277,7 @@ This safety-net approach ensures that devices requiring manual intervention can **Default Value**: `false` **Behaviour**: -- When `true`: If a device's OS changes (e.g., after an upgrade), it is automatically moved back to "Awaiting Registration" and the registration process runs again +- When `true`: If a device's OS changes (e.g., after an upgrade), the system automatically moves it back to "Awaiting Registration" and runs the registration process again - When `false`: OS changes do not trigger automatic re-registration **Use Case**: Enable this setting if you want devices to be automatically reassigned to appropriate OS-specific groups after operating system upgrades. diff --git a/docs/endpointprotector/admin/dc_module/globalrights.md b/docs/endpointprotector/admin/dc_module/globalrights.md index c05b8dd665..275a42d090 100644 --- a/docs/endpointprotector/admin/dc_module/globalrights.md +++ b/docs/endpointprotector/admin/dc_module/globalrights.md @@ -10,8 +10,8 @@ From this section, you can manage the entire system and specify what rights and globally, to all Endpoint Protector entities. :::note -If device rights or other settings will be configured granularly for entities, the priority -order, starting with the highest, will be as follows: +If you configure device rights or other settings granularly for entities, the priority +order, starting with the highest, is as follows: ::: @@ -25,14 +25,14 @@ Global Settings. ## Device Types (Standard) Endpoint Protector supports a wide range of device types, which represent key sources of security -breaches. These devices can be authorized, which makes it possible for the users to view, create, or -modify their content and for administrators to view the data transferred to and from the authorized +breaches. These devices can be authorized, which allows users to view, create, or +modify their content and allows administrators to view the data transferred to and from the authorized devices. ![Standard supported Devices](standarddevices.webp) - Removable Storage Devices -- Normal USB Flash Drives, U3 and Autorun Drives, Disk on Key, etc. +- Normal USB Flash Drives, U3, and Autorun Drives, Disk on Key, etc. - USB 1.1, USB 2.0, USB 3.0 - Memory Cards - SD Cards, MMC Cards, Compact Flash Cards, etc. - Card Readers - internal and external @@ -54,6 +54,11 @@ devices. - Floppy disk drives - Serial ATA Controllers - Network Printers +- Audio cards + +:::note +Audio Device Control for sound cards is supported only on Windows and applies only to the audio output channel. Audio input channels, whether analog or digital, aren't covered. +::: Depending on the device type, besides the Allow and Deny Access rights, additional rights are also available. These include Read-Only Access or multiple combinations of Allow Access but with various @@ -70,7 +75,7 @@ For detailed information on Trusted Device™ and Enforced Encryption, refer to :::note With the WiFi – Block if wired network is present option you can disable the WiFi connection, while a wired network connection is present. The WiFi connection will be available when -the wired network is not present. +the wired network isn't present. ::: @@ -85,8 +90,8 @@ Occasionally, the EPP system may display a limitation where certain webcams can ![Bluetooth Device Management on Mac](macbluetooth.webp) -By default, the majority of device types are blocked. However, as a working internet connection or -wireless keyboards are needed during the configuration process, several devices are set to Allow +By default, Endpoint Protector blocks the majority of device types. However, because you need a working internet connection or +wireless keyboards during the configuration process, Endpoint Protector sets several devices to Allow Access. These include Wi-Fi, Bluetooth, Network Share, Additional Keyboard, and USB Modem. ![Device Type configuration](devicetypes.webp) @@ -98,15 +103,14 @@ environments. You can also use this option to manage USB access through the virtual environment. -When using a virtual environment, the USB devices will not be displayed in the Endpoint Protector -Notifier with their original names, VID and PID information. Only the original information will +When using a virtual environment, the Endpoint Protector Notifier will not display the USB devices with their original names, VID, and PID information. Only the original information will remain the serial number. -For example; in the below image, you can view the 3 devices detected by Endpoint Protector have -different VID, PID and device code, but they all have the same serial number. +For example; in the following image, you can view the 3 devices detected by Endpoint Protector have +different VID, PID, and device code, but they all have the same serial number. :::note -The Endpoint Protector Client does not distinguish between USB devices (e.g. USB hard +The Endpoint Protector Client doesn't distinguish between USB devices (e.g. USB hard drive vs USB Webcam) by Device name/VID/PID. ::: @@ -117,7 +121,7 @@ drive vs USB Webcam) by Device name/VID/PID. From this section, you can manage access rights for a specific device. -Device rights can be set either Globally or, per Group, User, or Computer, by using the Manage +You can set device rights either Globally or per Group, User, or Computer by using the Manage Rights action from each section/entity. ![Manage access rights for a specific device.](specificdevices.webp) @@ -142,9 +146,8 @@ adding devices: ![ Add multiple devices at the same time.](multipledevices.webp) :::note -Although this feature can work in situations where the Serial Number range does not follow -a noticeable pattern, this is not recommended. In this type of situation, some devices will be -ignored by Endpoint Protector and will not have the expected effect. +Although this feature can work in situations where the Serial Number range doesn't follow +a noticeable pattern, this isn't recommended. In this type of situation, Endpoint Protector will ignore some devices, and they will not have the expected effect. ::: diff --git a/docs/endpointprotector/gettingstarted.md b/docs/endpointprotector/gettingstarted.md index b0be8a99ea..070b27f6d6 100644 --- a/docs/endpointprotector/gettingstarted.md +++ b/docs/endpointprotector/gettingstarted.md @@ -8,11 +8,10 @@ sidebar_position: 2 Welcome to Netwrix Endpoint Protector, your solution for securing endpoint data. With features like Device Control, Content Aware Protection, eDiscovery, and Enforced Encryption, Endpoint Protector -safeguards against data breaches from a wide range of endpoints, including portable storage devices -such as USB flash drives, external HDDs, digital cameras, MP3 players, and iPods. These devices are -seamlessly connected to Windows, Mac, or Linux computers, increasing the risk of data theft or -accidental loss. Ensure compliance and protect sensitive information with our user-friendly -platform. +safeguards against data breaches originating from a wide range of endpoints, including portable storage devices +such as USB flash drives, external HDDs, digital cameras, MP3 players, and iPods. These devices connect +seamlessly to Windows, Mac, or Linux computers, increasing the risk of data theft or +accidental loss. Ensure compliance and protect sensitive information with Netwrix Endpoint Protector. ## System Requirements @@ -118,7 +117,7 @@ See the [System Configuration](/docs/endpointprotector/admin/systemconfiguration - Transition to Blocking Policies: - - Duplicate "Report Only" CAP policies and modify them to enforce restrictions. + - Duplicate "Report Only" Content Aware Protection (CAP) policies and modify them to enforce restrictions. - Activate blocking policies to prevent unauthorized data movements. See the [Content Aware Protection](/docs/endpointprotector/admin/cap_module/capmodule.md) topic for more diff --git a/docs/kb/1secure/0-images/servlet_image_07c7409683d2.png b/docs/kb/1secure/0-images/servlet_image_07c7409683d2.png deleted file mode 100644 index ec4c1c0a75..0000000000 Binary files a/docs/kb/1secure/0-images/servlet_image_07c7409683d2.png and /dev/null differ diff --git a/docs/kb/1secure/0-images/servlet_image_0f3e849ec385.png b/docs/kb/1secure/0-images/servlet_image_0f3e849ec385.png deleted file mode 100644 index 6314042be6..0000000000 Binary files a/docs/kb/1secure/0-images/servlet_image_0f3e849ec385.png and /dev/null differ diff --git a/docs/kb/1secure/0-images/servlet_image_117381e3f99f.png b/docs/kb/1secure/0-images/servlet_image_117381e3f99f.png deleted file mode 100644 index cf9c2f4ed7..0000000000 Binary files a/docs/kb/1secure/0-images/servlet_image_117381e3f99f.png and /dev/null differ diff --git a/docs/kb/1secure/0-images/servlet_image_16fc9e2e2432.png b/docs/kb/1secure/0-images/servlet_image_16fc9e2e2432.png deleted file mode 100644 index 7cff2ec2f2..0000000000 Binary files a/docs/kb/1secure/0-images/servlet_image_16fc9e2e2432.png and /dev/null differ diff --git a/docs/kb/1secure/0-images/servlet_image_21d63c042bef.png b/docs/kb/1secure/0-images/servlet_image_21d63c042bef.png deleted file mode 100644 index caaf7e1825..0000000000 Binary files a/docs/kb/1secure/0-images/servlet_image_21d63c042bef.png and /dev/null differ diff --git a/docs/kb/1secure/0-images/servlet_image_22726c8e5cb9.png b/docs/kb/1secure/0-images/servlet_image_22726c8e5cb9.png deleted file mode 100644 index 4ceb4abf5b..0000000000 Binary files a/docs/kb/1secure/0-images/servlet_image_22726c8e5cb9.png and /dev/null differ diff --git a/docs/kb/1secure/0-images/servlet_image_2b1a501d40fd.png b/docs/kb/1secure/0-images/servlet_image_2b1a501d40fd.png deleted file mode 100644 index 24aea70253..0000000000 Binary files a/docs/kb/1secure/0-images/servlet_image_2b1a501d40fd.png and /dev/null differ diff --git a/docs/kb/1secure/0-images/servlet_image_35245db9daa9.png b/docs/kb/1secure/0-images/servlet_image_35245db9daa9.png deleted file mode 100644 index b3ddc65b45..0000000000 Binary files a/docs/kb/1secure/0-images/servlet_image_35245db9daa9.png and /dev/null differ diff --git a/docs/kb/1secure/0-images/servlet_image_491abdc2366b.png b/docs/kb/1secure/0-images/servlet_image_491abdc2366b.png deleted file mode 100644 index 9f08679437..0000000000 Binary files a/docs/kb/1secure/0-images/servlet_image_491abdc2366b.png and /dev/null differ diff --git a/docs/kb/1secure/0-images/servlet_image_4e7a38bb30d6.png b/docs/kb/1secure/0-images/servlet_image_4e7a38bb30d6.png deleted file mode 100644 index 12ffde6a4d..0000000000 Binary files a/docs/kb/1secure/0-images/servlet_image_4e7a38bb30d6.png and /dev/null differ diff --git a/docs/kb/1secure/0-images/servlet_image_4f237c8e6acb.png b/docs/kb/1secure/0-images/servlet_image_4f237c8e6acb.png deleted file mode 100644 index 49e833d91b..0000000000 Binary files a/docs/kb/1secure/0-images/servlet_image_4f237c8e6acb.png and /dev/null differ diff --git a/docs/kb/1secure/0-images/servlet_image_808a1a23eec9.png b/docs/kb/1secure/0-images/servlet_image_808a1a23eec9.png deleted file mode 100644 index 4367d07754..0000000000 Binary files a/docs/kb/1secure/0-images/servlet_image_808a1a23eec9.png and /dev/null differ diff --git a/docs/kb/1secure/0-images/servlet_image_9751657fe7cd.png b/docs/kb/1secure/0-images/servlet_image_9751657fe7cd.png deleted file mode 100644 index 5e629f43cb..0000000000 Binary files a/docs/kb/1secure/0-images/servlet_image_9751657fe7cd.png and /dev/null differ diff --git a/docs/kb/1secure/0-images/servlet_image_9a7649f21943.png b/docs/kb/1secure/0-images/servlet_image_9a7649f21943.png deleted file mode 100644 index b94070c01e..0000000000 Binary files a/docs/kb/1secure/0-images/servlet_image_9a7649f21943.png and /dev/null differ diff --git a/docs/kb/1secure/0-images/servlet_image_9ccee298858e.png b/docs/kb/1secure/0-images/servlet_image_9ccee298858e.png deleted file mode 100644 index 1149f9c85f..0000000000 Binary files a/docs/kb/1secure/0-images/servlet_image_9ccee298858e.png and /dev/null differ diff --git a/docs/kb/1secure/0-images/servlet_image_c706e5610294.png b/docs/kb/1secure/0-images/servlet_image_c706e5610294.png deleted file mode 100644 index 48554b7058..0000000000 Binary files a/docs/kb/1secure/0-images/servlet_image_c706e5610294.png and /dev/null differ diff --git a/docs/kb/1secure/0-images/servlet_image_d2bd2889a956.png b/docs/kb/1secure/0-images/servlet_image_d2bd2889a956.png deleted file mode 100644 index 1d293ab073..0000000000 Binary files a/docs/kb/1secure/0-images/servlet_image_d2bd2889a956.png and /dev/null differ diff --git a/docs/kb/1secure/0-images/servlet_image_d8afec47d2b9.png b/docs/kb/1secure/0-images/servlet_image_d8afec47d2b9.png deleted file mode 100644 index 55b566df5d..0000000000 Binary files a/docs/kb/1secure/0-images/servlet_image_d8afec47d2b9.png and /dev/null differ diff --git a/docs/kb/1secure/0-images/servlet_image_e3eecaa55357.png b/docs/kb/1secure/0-images/servlet_image_e3eecaa55357.png deleted file mode 100644 index ca4f18dec2..0000000000 Binary files a/docs/kb/1secure/0-images/servlet_image_e3eecaa55357.png and /dev/null differ diff --git a/docs/kb/1secure/0-images/servlet_image_ebb3b2e4c66a.png b/docs/kb/1secure/0-images/servlet_image_ebb3b2e4c66a.png deleted file mode 100644 index e650b91b03..0000000000 Binary files a/docs/kb/1secure/0-images/servlet_image_ebb3b2e4c66a.png and /dev/null differ diff --git a/docs/kb/1secure/0-images/servlet_image_f5c0eb62aa44.png b/docs/kb/1secure/0-images/servlet_image_f5c0eb62aa44.png deleted file mode 100644 index 35f212ee7b..0000000000 Binary files a/docs/kb/1secure/0-images/servlet_image_f5c0eb62aa44.png and /dev/null differ diff --git a/docs/kb/1secure/0-images/servlet_image_ff7ee6960cb2.png b/docs/kb/1secure/0-images/servlet_image_ff7ee6960cb2.png deleted file mode 100644 index 4eb35caaf1..0000000000 Binary files a/docs/kb/1secure/0-images/servlet_image_ff7ee6960cb2.png and /dev/null differ diff --git a/docs/kb/1secure/troubleshooting/password-never-expires-report-shows-incorrect-data.md b/docs/kb/1secure/troubleshooting/password-never-expires-report-shows-incorrect-data.md index d5e823c35c..0c063878bc 100644 --- a/docs/kb/1secure/troubleshooting/password-never-expires-report-shows-incorrect-data.md +++ b/docs/kb/1secure/troubleshooting/password-never-expires-report-shows-incorrect-data.md @@ -1,6 +1,6 @@ --- description: >- - Netwrix OneSecutre may report the Password never expires setting as enabled + Netwrix 1Secure may report the Password never expires setting as enabled for accounts even though Active Directory shows it as disabled. This article explains the cause (a GPO with maxPasswordAge=0) and how to resolve it. keywords: @@ -9,7 +9,7 @@ keywords: - GPO - Group Policy - Active Directory - - Netwrix OneSecutre + - Netwrix 1Secure - password policy - report products: @@ -29,8 +29,8 @@ In Netwrix 1Secure, the **Password never expires** setting is incorrectly report ## Cause -A GPO with the `maxPasswordAge=0` parameter is applied to the affected accounts. The parameter causes Netwrix OneSecutre to report the **Password never expires** setting as enabled. +A GPO with the `maxPasswordAge=0` parameter is applied to the affected accounts. The parameter causes Netwrix 1Secure to report the **Password never expires** setting as enabled. ## Resolution -In the corresponding GPO, set the `maxPasswordAge` parameter to any non-zero value. This will allow Netwrix OneSecutre to correctly report the affected accounts. +In the corresponding GPO, set the `maxPasswordAge` parameter to any non-zero value. This will allow Netwrix 1Secure to correctly report the affected accounts. diff --git a/docs/kb/CLAUDE.md b/docs/kb/CLAUDE.md index 21a899c203..e8acdaa18a 100644 --- a/docs/kb/CLAUDE.md +++ b/docs/kb/CLAUDE.md @@ -2,6 +2,84 @@ KB articles live in `docs/kb/`. When writing or editing KB articles, follow `kb_style_guide.md` at the repo root for all style decisions. +## Frontmatter + +Every KB article must begin with a frontmatter block containing all of the following fields: + +| Field | Notes | +|---|---| +| `title` | Full article title as a quoted string. Must match the H1 heading exactly. | +| `description` | 1–2 sentence SEO summary. Use `>-` for multiline values. | +| `sidebar_label` | Matches the title. May be shortened if the title is long. | +| `keywords` | 8–12 relevant technical and product terms as a YAML list. | +| `products` | One or more product IDs from the product names table in `kb_style_guide.md`, as a YAML list. | +| `tags` | YAML list. **Must include `kb`.** May also include the category folder name (e.g., `troubleshooting-and-errors`). | +| `knowledge_article_id` | Salesforce Knowledge Article ID. Format: `kA` followed by alphanumeric characters. | + +The `kb` tag is mandatory for all KB articles regardless of topic or product. It enables KB-specific filtering in Algolia search. Do not omit it. + +## Folder Organization + +KB articles live in `docs/kb//`. Some product folders use category subfolders (e.g., `docs/kb/privilegesecure/troubleshooting-and-errors/`); others drop articles directly in the product folder (e.g., `docs/kb/pingcastle/`). Each folder that contains articles has a `0-images/` subfolder for that article's images. + +Never manually copy KB articles into versioned product folders — the KB copy script handles that at build time. + +### Adding a New Article + +Check whether the target product folder has category subfolders. If it does, place the article in the most appropriate subfolder. If the product folder contains no subfolders, place the article directly in it. Store the article's images in `0-images/` alongside the article, creating the folder if it doesn't exist. + +### Moving an Article + +After moving any article, search the repo for links pointing to the old file path and update them. The build is configured to throw on broken links, so stale references will cause build errors. + +Only update links in canonical KB source files under `docs/kb/`. The versioned copies under `docs///kb/` are gitignored and regenerated by the KB copy script at build time — never edit those directly. + +#### Within the same product folder + +When moving an article between folders in the same product (e.g., from `docs/kb/privilegesecure/` to `docs/kb/privilegesecure/troubleshooting-and-errors/`): + +1. Move the `.md` file to the target folder. +2. Move the article's images to the `0-images/` folder alongside its new location. +3. Update all image path references inside the article to match the new path. +4. Update any links to the article in other files to use the new path. +5. Update the category tag in the article's `tags` frontmatter field to match the destination folder name (e.g., `troubleshooting-and-errors`). + +The `products` frontmatter field does not need to change. + +#### To a different product folder + +When moving an article to a different product (e.g., from `docs/kb/1secure/` to `docs/kb/privilegesecure/troubleshooting-and-errors/`): + +1. Move the `.md` file to the target folder. +2. Move the article's images to the new product's `0-images/` folder (at the same level as the article). +3. Update all image path references inside the article. +4. Update any links to the article in other files to use the new path. +5. Update the category tag in the article's `tags` frontmatter field to match the destination folder name. +6. Update the `products` frontmatter field — the article now belongs to a different product. +7. Review the article body for references to the old product name and update them. + +### Creating a New Category Folder + +If no suitable category subfolder exists for a product: + +1. Create the folder under `docs/kb//` using a lowercase, hyphenated name (e.g., `troubleshooting-and-errors`). +2. Add a `_category_.json` file. Use `position: 999` to place the category last in the sidebar, or set a lower number to control its position relative to other category folders: + +```json +{ + "label": "Troubleshooting and Errors", + "position": 999, + "collapsed": true, + "collapsible": true +} +``` + +3. Place the article in the new folder and create a `0-images/` subfolder for its images. + +### Testing KB moves locally + +After moving KB files, do not rely on hot reload. Run `npm run kb:clean && npm run start` to wipe the stale versioned copies and rebuild from the current canonical source. Without the clean step, the old path may still resolve in the dev server even after the file has moved. + ## Conflicts with docs/CLAUDE.md Two rules in `docs/CLAUDE.md` do NOT apply to KB articles: diff --git a/docs/kb/accessanalyzer/connection-profiles-and-credentials/determining_which_access_analyzer_collectors_support_gmsa.md b/docs/kb/accessanalyzer/connection-profiles-and-credentials/determining_which_access_analyzer_collectors_support_gmsa.md index 8531f409b5..6704acd2fc 100644 --- a/docs/kb/accessanalyzer/connection-profiles-and-credentials/determining_which_access_analyzer_collectors_support_gmsa.md +++ b/docs/kb/accessanalyzer/connection-profiles-and-credentials/determining_which_access_analyzer_collectors_support_gmsa.md @@ -27,21 +27,21 @@ Which Netwrix Access Analyzer (formerly Enterprise Auditor) data collectors supp ## Answer -Not all data collectors in Netwrix Access Analyzer are compatible with gMSA. gMSAs are used to enhance security and simplify password management for services running on Windows, but they require explicit support within the collector's implementation. +Not all data collectors in Netwrix Access Analyzer are compatible with gMSA. gMSAs enhance security and simplify password management for services running on Windows, but they require explicit support within the collector's implementation. -The following Netwrix Access Analyzer data collectors have been tested and confirmed to support execution under a **gMSA**: +The following Netwrix Access Analyzer data collectors support execution under a **gMSA**: - **ADActivity** - **ADInventory** - **ADPermissions** -- **FSAA** +- **File System Access Audit (FSAA)** - **PasswordSecurity** - **SmartLog** (only when using **Network Query** mode) -- **SPAA** +- **SharePoint Access Auditing (SPAA)** > **NOTE:** The **SmartLog** collector supports gMSA only when it is configured to use **Network Query**. It does **not** support gMSA in other modes. -Ensure that the gMSA account is granted all required permissions as described in the Help Center: +Grant the gMSA account all required permissions as described in the Help Center: [Configure a gMSA Account for Collector Connections](https://docs.netwrix.com/docs/accessanalyzer/12_0/admin/settings/connection/gmsa) diff --git a/docs/kb/accessanalyzer/installation-and-upgrades/access-analyzer-upgrade-workflow-aic.md b/docs/kb/accessanalyzer/installation-and-upgrades/access-analyzer-upgrade-workflow-aic.md index 5dda96ab54..b0dbdb3a8c 100644 --- a/docs/kb/accessanalyzer/installation-and-upgrades/access-analyzer-upgrade-workflow-aic.md +++ b/docs/kb/accessanalyzer/installation-and-upgrades/access-analyzer-upgrade-workflow-aic.md @@ -77,4 +77,4 @@ Follow these steps to complete the AIC upgrade: 4. Verify that the AIC configuration settings match those saved during the preparation phase. -5. Verify that the built-in admin account for the AIC is either disabled or that the password has been changed. +5. Verify that the built-in AIC admin account is disabled or that you have set a new password for it. diff --git a/docs/kb/accessanalyzer/troubleshooting-and-errors/error-removed-host-name-in-aic-andor-fsaa-host-table.md b/docs/kb/accessanalyzer/troubleshooting-and-errors/error-removed-host-name-in-aic-andor-fsaa-host-table.md index a858042732..b9d88d9629 100644 --- a/docs/kb/accessanalyzer/troubleshooting-and-errors/error-removed-host-name-in-aic-andor-fsaa-host-table.md +++ b/docs/kb/accessanalyzer/troubleshooting-and-errors/error-removed-host-name-in-aic-andor-fsaa-host-table.md @@ -28,13 +28,13 @@ You have used the **Remove host data** option in the **FILESYSTEMACCESS** Data C Re-run the job used to remove the host data against the full **!Removed-…** name. -- This is typically a custom job that was created. If you are unsure what job was run, please see the following article for how to create a custom job to drop File Server host data: [How to Drop File System Data from Netwrix Access Analyzer](/docs/kb/accessanalyzer/file-system-and-sensitive-data-discovery/dropping_file_system_data.md). +- You typically ran a custom job. If you are unsure which job you ran, see [How to Drop File System Data from Netwrix Access Analyzer](/docs/kb/accessanalyzer/file-system-and-sensitive-data-discovery/dropping_file_system_data.md) for steps to create a custom job to drop File Server host data. - If you have already rerun the job and it throws a timeout error, then change the job timeout to a longer value. 1. Right-click the job, then select **Properties** and adjust the **Timeout minutes setting** in the General tab. - 2. Setting this value to **1440 minutes (24 hours)** for safety should suffice, although the job is unlikely to take this long. - 3. This is to allow the job to run without timing out if there is much data to be dropped. + 2. Setting this value to **1440 minutes (24 hours)** should be sufficient. + 3. This prevents the job from timing out if it needs to drop a large amount of data. ## Related Article diff --git a/docs/kb/accessanalyzer/troubleshooting-and-errors/fsaa-registry-key-error.md b/docs/kb/accessanalyzer/troubleshooting-and-errors/fsaa-registry-key-error.md index cfda2c92b0..208729a8c4 100644 --- a/docs/kb/accessanalyzer/troubleshooting-and-errors/fsaa-registry-key-error.md +++ b/docs/kb/accessanalyzer/troubleshooting-and-errors/fsaa-registry-key-error.md @@ -28,12 +28,12 @@ knowledge_article_id: kA04u0000000IvhCAE ## Issue `Error during processing: Could not open registry key SYSTEM\CurrentControlSet\Services\SBTLogging\Parameters for reading: Access is denied (5); local: False` -If you get this error after running an FSAA scan, the scan was unable to open a registry key. +If you get this error after running a File System Access Audit (FSAA) scan, the scan was unable to open a registry key. ## Instructions ### Windows -If you get this after scanning a Windows host, either the registry key doesn't exist or access is denied. To investigate: +If you get this after scanning a Windows host, either the registry key does not exist or the scan cannot access it. To investigate: 1. Open **Regedit**. 2. From **Start**, open **CMD** and run **Regedit** (run it using the same credential as the scan). diff --git a/docs/kb/activitymonitor/integrations-and-data-sources/manually-setting-up-sharepoint-online-auditing.md b/docs/kb/activitymonitor/integrations-and-data-sources/manually-setting-up-sharepoint-online-auditing.md index 2a13c39171..a2df291ff1 100644 --- a/docs/kb/activitymonitor/integrations-and-data-sources/manually-setting-up-sharepoint-online-auditing.md +++ b/docs/kb/activitymonitor/integrations-and-data-sources/manually-setting-up-sharepoint-online-auditing.md @@ -31,8 +31,8 @@ How do I set up SharePoint Online auditing without using the `SP_RegisterAzureAp ## Answer -It is always recommended to use the `SP_RegisterAzureAppAuth` instant job to set up the Entra app for auditing. -However, the process can be completed manually if necessary, such as if MFA cannot be temporarily disabled for a Global Admin account. +Always use the `SP_RegisterAzureAppAuth` instant job to set up the Entra app for auditing. +However, you can complete the process manually if necessary — for example, if you cannot temporarily disable MFA for a Global Admin account. ### SPAA/SPSEEK Scans @@ -93,7 +93,7 @@ However, the process can be completed manually if necessary, such as if MFA cann 11. Navigate back to the SharePoint App registrations page, and on the **Certificates & Secrets** page, click **↑ Upload certificate** to upload the `spaa_cert_domain.cert` file. ![](../0-images/ka0Qk000000D6nZ_0EMQk00000Bl8rp.png) -12. Navigate to the **Overview** tab and copy the **Application (client) ID**. This will be used for the Access Analyzer connection profile. +12. Navigate to the **Overview** tab and copy the **Application (client) ID**. Use this as the Access Analyzer connection profile identifier. 13. In Netwrix Access Analyzer, navigate to **Global Options > Connection** and create a connection profile with the same name as the SharePoint app registration, using the following: - **Account Type:** Azure Active Directory - **Client ID:** Application (client) ID from SharePoint App Registration @@ -106,11 +106,11 @@ However, the process can be completed manually if necessary, such as if MFA cann - Example: `C:\Program Files (x86)\STEALTHbits\StealthAUDIT\PrivateAssemblies\spaa_cert_domain.pfx,YourPasswordHere,0` 14. Create a host list with the SharePoint site, for example: `YourOrganization.SharePoint.com`. 15. Set the SharePoint job group to run against the SharePoint host list. -16. Set the SharePoint job group to use the new SharePoint Connection Profile, and SPAA/SPSEEK is now configured for auditing. +16. Set the SharePoint job group to use the new SharePoint Connection Profile. SharePoint Access Auditing (SPAA) and Sensitive Data Discovery Auditing (SPSEEK) are now configured for auditing. ### SPAC Scans -The SPAC scan can utilize the same app registration as SPAA/SPSEEK. Follow steps 1–4 from the instructions above if an app has not already been created. +The SharePoint Activity Auditing (SPAC) scan can use the same app registration as SPAA/SPSEEK. If you have not already created an app, follow steps 1–4 from the SPAA/SPSEEK Scans section. 1. From the Application Overview page, navigate to **Manage > API Permissions** and select **Add a permission**. ![](../0-images/ka0Qk000000D6nZ_0EMQk00000Bl91V.png) @@ -145,11 +145,11 @@ The SPAC scan can utilize the same app registration as SPAA/SPSEEK. Follow steps - **Client ID:** Entra Application (client) ID from the manually created app. - **Client Secret:** This is the **Secret Value** copied earlier. - **Region:** Optional – leave blank if not applicable. - - **SharePoint Online Operations:** Select what SharePoint activity is to be collected (all options are selected by default). + - **SharePoint Online Operations:** Select what SharePoint activity to collect (all options are selected by default). - **Users to Exclude:** Add any users you do not want to collect SharePoint activity for. - **Where to log the activity:** Select **Log File**. - - **File Output:** Select a log file path, set the retention period for activity logs, and ensure the box for **This log file is for Netwrix Access Analyzer** is checked. -9. After completing the above steps, you should see the SharePoint Online host added to the Monitored Hosts tab with green checkmarks, indicating successful connection and setup. + - **File Output:** Select a log file path, set the retention period for activity logs, and select the **This log file is for Netwrix Access Analyzer** checkbox. +9. After completing the above steps, the SharePoint Online host appears in the Monitored Hosts tab with green checkmarks, confirming a successful connection. 10. In Netwrix Access Analyzer, navigate to **SharePoint > 0.Collection > 3-SPAC_SystemScans > Configure > Queries > Query Properties > Configure**. ![](../0-images/ka0Qk000000D6nZ_0EMQk00000Bl7e3.png) 11. On the **Activity Date Scope**, set how long to retain the SharePoint activity in the Access Analyzer database. @@ -157,9 +157,9 @@ The SPAC scan can utilize the same app registration as SPAA/SPSEEK. Follow steps ![](../0-images/ka0Qk000000D6nZ_0EMQk00000Bl9hR.png) - **Host name:** This should match the monitored host name in Activity Monitor, e.g., `YourOrganization.SharePoint.com`. - - **Activity log UNC path:** This is the file output path in UNC format, e.g., `\AgentHost\C$\ProgramData\Netwrix\Activity Monitor\Agent\ActivityLogs`. + - **Activity log UNC path:** This is the file output path in Universal Naming Convention (UNC) format, e.g., `\AgentHost\C$\ProgramData\Netwrix\Activity Monitor\Agent\ActivityLogs`. - - This value can be found by converting the file output path from the SharePoint monitored host in Activity Monitor to UNC format. + - To get this value, convert the file output path from the SharePoint monitored host in Activity Monitor to UNC format. ![](../0-images/ka0Qk000000D6nZ_0EMQk00000Bl54M.png) - **Activity archive UNC path:** UNC Path of agent's archive (on the Agents tab), if applicable. diff --git a/docs/kb/activitymonitor/monitoring-platforms-and-storage/recommended-performance-counters-for-sam.md b/docs/kb/activitymonitor/monitoring-platforms-and-storage/recommended-performance-counters-for-sam.md index b699f38705..be1ff00284 100644 --- a/docs/kb/activitymonitor/monitoring-platforms-and-storage/recommended-performance-counters-for-sam.md +++ b/docs/kb/activitymonitor/monitoring-platforms-and-storage/recommended-performance-counters-for-sam.md @@ -21,11 +21,11 @@ knowledge_article_id: kA04u0000000JymCAE # Recommended Performance Counters for SAM -SAM Agent comes with performance counters for some internal runtime data. These counters, along with several standard system-wide counters (memory and CPU usage, TCP disconnections, etc.), can help you diagnose performance issues. +Netwrix Activity Monitor (SAM) Agent comes with performance counters for some internal runtime data. These counters, along with several standard system-wide counters (memory and CPU usage, TCP disconnections, etc.), can help you diagnose performance issues. -The following counters are provided by SAM. +SAM provides the following counters. -## SAM counters +## SAM Counters | Category | Recommended | Counter | Description | | --- | ---: | --- | --- | @@ -37,7 +37,7 @@ The following counters are provided by SAM. | NetApp | ✔ | `Activity Monitor - NetApp\Session Negotiated` | Number of connections established with ONTAP cluster nodes | | NetApp | ✔ | `Activity Monitor - NetApp\Active Connections` | Number of active connections with ONTAP cluster nodes | | NetApp | | `Activity Monitor - NetApp\Outage Files` | Number of outage (resilience) files processed | -| VNX, Isilon, Unity | ✔ | `Activity Monitor - EMC\Events Received` | Number of events received from CEE | +| VNX, Isilon, Unity | ✔ | `Activity Monitor - EMC\Events Received` | Number of events received from Common Event Enabler (CEE) | | VNX, Isilon, Unity | ✔ | `Activity Monitor - EMC\Events Received/sec` | Rate at which events are received from CEE | | VNX, Isilon, Unity | ✔ | `Activity Monitor - EMC\Events Reported` | Number of events passed the filters and being reported to outputs | | VNX, Isilon, Unity | ✔ | `Activity Monitor - EMC\Events Reported/sec` | Rate at which events are reported to outputs | @@ -47,7 +47,7 @@ The following counters are provided by SAM. | Outputs | ✔ | `Activity Monitor - Outputs\Events Reported/sec` | Rate at which events are reported | | Outputs | | `Activity Monitor - Outputs\Events Reported to Files` | Total number of events reported to log files | | Outputs | | `Activity Monitor - Outputs\Events Reported to Syslog` | Total number of events reported to syslog servers | -| Outputs | | `Activity Monitor - Outputs\Events Reported to AMQP` | Total number of events reported to AMQP servers (not used currently) | +| Outputs | | `Activity Monitor - Outputs\Events Reported to AMQP` | Total number of events reported to Advanced Message Queuing Protocol (AMQP) servers (not used currently) | | Outputs | ✔ | `Activity Monitor - Outputs\Resolved SIDs` | Number of attempts, both successful and failed, to resolve SIDs to names | | Outputs | ✔ | `Activity Monitor - Outputs\Resolved SIDs/sec` | Rate at which SIDs are resolved to names | | Outputs | ✔ | `Activity Monitor - Outputs\Resolved SIDs Failures` | Number of failed attempts to resolve SIDs to names | @@ -64,11 +64,11 @@ The following counters are provided by SAM. | Outputs | ✔ | `Activity Monitor - Outputs\DNS Queries Avg Time` | The moving average length of time, in microseconds, per a DNS query | | Outputs | ✔ | `Activity Monitor - Outputs\DNS Queries Max Time` | The moving maximum length of time, in microseconds, per a DNS query | -It makes sense to monitor DNS and Active Directory queries (`DNS Queries...` and `Resolved SIDs...` counters) as they typically contribute the most to the processing time. +Monitor DNS and Active Directory queries (`DNS Queries...` and `Resolved SIDs...` counters), as they typically contribute the most to processing time. -In addition to the SAM counters, we recommend collecting the following system counters: +In addition to the SAM counters, Netwrix recommends collecting the following system counters: -## System counters to collect +## System Counters to Collect | Counter | Notes | | --- | --- | @@ -122,9 +122,9 @@ In addition to the SAM counters, we recommend collecting the following system co | `\Process(MonitorService.exe)\Private Bytes` | | | `\Process(MonitorService.exe)\Working Set` | | -## Prepare for performance monitoring +## Prepare for Performance Monitoring -The SAM performance counters are not registered by default. You need to register them manually. +SAM does not register the performance counters by default. Register them manually. On each SAM Agent server: @@ -153,11 +153,11 @@ On each SAM Agent server: sc start SBTLoggingSvc ``` -## Collect performance data +## Collect Performance Data -The performance data can be observed or saved using any tool capable of collecting performance counters, for example, Performance Monitor. +Use any tool capable of collecting performance counters (for example, Performance Monitor) to view or save the performance data. -Below is a PowerShell script that collects the counters every second and stores them in `perfcounters_SERVERNAME_TIMESTAMP.csv` files. The expected file size per day is about 50MB. +The following PowerShell script collects the counters every second and stores them in `perfcounters_SERVERNAME_TIMESTAMP.csv` files. The expected file size per day is about 50MB. Run the script on each agent server using the following command: @@ -284,9 +284,9 @@ Write-Host "Collecting performance counters to $outputFile... Press Ctrl+C to st Get-Counter @variables | Export-Counter -FileFormat csv -Path $outputFile -Force ``` -## Unregister performance counters +## Unregister Performance Counters -When performance monitoring is not needed anymore, unregister the SAM performance counters. +When you no longer need performance monitoring, unregister the SAM performance counters. On each SAM Agent server: diff --git a/docs/kb/dataclassification/authentication-and-security/service-account-password-reset-for-netwrix-data-classification.md b/docs/kb/dataclassification/authentication-and-security/service-account-password-reset-for-netwrix-data-classification.md index 1acefbd08a..bfb61a0794 100644 --- a/docs/kb/dataclassification/authentication-and-security/service-account-password-reset-for-netwrix-data-classification.md +++ b/docs/kb/dataclassification/authentication-and-security/service-account-password-reset-for-netwrix-data-classification.md @@ -25,17 +25,17 @@ knowledge_article_id: kA04u000000XmHKCA0 ## Overview -After resetting the service account password for Netwrix Data Classification there are several locations within the product and IIS that you must update to reflect this change. This article shows where you need to supply the new password. +After you reset the service account password for Netwrix Data Classification, update the password in several locations within the product and IIS. This article shows where to supply the new password. ## Services ![User-added image](./../0-images/ka0Qk000000455x_0EM4u000001rDFz.png) -Update the **Logon As** value for each of the services listed above to reflect the password change. +Update the **Logon As** value for each service shown in the screenshot to reflect the password change. ## ConceptConfig -Navigate to each of the locations below. These locations control the SQL database connection and the account used to make that connection. Update the account credentials for all three locations. +Navigate to each of the following locations. These locations control the SQL database connection and the account used to make that connection. Update the account credentials for all three locations. 1. `C:\Program Files\ConceptSearching\Services\ConceptCollectorService\conceptConfig.exe` 2. `C:\inetpub\wwwroot\conceptQS\bin\conceptConfig.exe` @@ -45,7 +45,7 @@ Navigate to each of the locations below. These locations control the SQL databas Open IIS and click **Application Pools** on the left-hand pane. Right-click on the **conceptQSAppPool** and click **Advanced Settings**. -Find the **Identity** and update the password to match the new password for the account, then restart the application pool. +Find the **Identity** and enter the new account password, then restart the application pool. ![User-added image](./../0-images/ka0Qk000000455x_0EM4u000001rDGn.png) diff --git a/docs/kb/dataclassification/features-and-operations/what-usage-and-license-data-is-sent-to-netwrix-by-netwrix-data-classification.md b/docs/kb/dataclassification/features-and-operations/what-usage-and-license-data-is-sent-to-netwrix-by-netwrix-data-classification.md index c8e76e4668..9a7cc68233 100644 --- a/docs/kb/dataclassification/features-and-operations/what-usage-and-license-data-is-sent-to-netwrix-by-netwrix-data-classification.md +++ b/docs/kb/dataclassification/features-and-operations/what-usage-and-license-data-is-sent-to-netwrix-by-netwrix-data-classification.md @@ -25,17 +25,17 @@ knowledge_article_id: kA04u0000000JvTCAU ## Question -I want to know if sensitive data is sent outside of my IT Infrastructure by Netwrix Data Classification. +Does Netwrix Data Classification send sensitive data outside of my IT infrastructure? ## Answer -All collected data remains on-prem. The product does send usage statistics, however. This includes the following high level / counter information: +All collected data remains on-premises. The product does send usage statistics, including the following counters: ### Top Level - Licence information (licensee, expiry date, features enabled) - Number of custom taxonomies -- Number of sensitive data taxonomies (# of our predefined taxonomies that have been enabled) +- Number of sensitive data taxonomies (out of the predefined taxonomies you have enabled) ### Per Source Type diff --git a/docs/kb/general/cloud-and-permissions/permission-scanning-errors-and-issues.md b/docs/kb/general/cloud-and-permissions/permission-scanning-errors-and-issues.md index 4536f41f57..bf8e2b5f95 100644 --- a/docs/kb/general/cloud-and-permissions/permission-scanning-errors-and-issues.md +++ b/docs/kb/general/cloud-and-permissions/permission-scanning-errors-and-issues.md @@ -26,20 +26,18 @@ knowledge_article_id: kA0Qk0000001Q25KAE ## Issue -Permission scanning errors and issues with FSAA System Scans. +Permission scanning errors and issues with File System Access Audit (FSAA) System Scans. ## Cause -A network share caused the FSAA system scan to run for extended periods before ultimately aborting the scan. with this issue present the Bulk Imports were put on hold until the scan could complete. +A network share caused the FSAA system scan to run for extended periods before aborting. With this issue present, Bulk Imports went on hold until the scan completed. ## Resolution -1. Discovered that shares weren't accessible due to an access denied error for some shares/subfolders existing on a NetApp server. We determined that having another meeting after running the scan additional exclusions for share is needed for further investigation. +1. If some shares or subfolders on a NetApp server return access denied errors, add exclusions for those shares and rerun the scan to determine whether the issue persists. -2. We discovered that the FSAA proxies were installed in a different directory than what originally was scanned. This may have caused a storage issue with the tier 2 data compression process. We uninstalled the proxies and installed them on the designated drives with an increased amount of space. Additionally, we included folder and share exclusions for a problematic share prompting access denied within the FSAA scans. +2. If the FSAA proxies are installed in a different directory from the one originally scanned, this can cause storage issues with the tier 2 data compression process. Uninstall the proxies and reinstall them on the designated drives with sufficient space. Add folder and share exclusions for any shares causing access denied errors in the FSAA scans. -3. We discovered that the scheduled FSAA task started a secondary scan after the initial scan started. We then investigated job logs and discovered that the scheduled task timed out and then the secondary task was initiated. We then made changes to the query properties of the FSAA scan not to restart and continue where the scan left off. We then restarted the scan and suggested monitoring the scan after changes were made. +3. If a scheduled FSAA task starts a secondary scan while the initial scan is still running, the scheduled task may have timed out and triggered a second instance. In the query properties for the FSAA scan, disable the restart option so the scan continues from where it left off. Restart the scan and monitor it. -4. We discovered that the FSAA system scan was able to progress past the network share that was causing it to previously hang. We suggested allowing for the scan to run again, monitor the job and if you experience a hang time with the FSAA system scan again please generate a process dump on the FSAA proxy host using the steps provided in the documentation below. - -https://helpcenter.netwrix.com/bundle/z-kb-articles-salesforce/page/kA04u0000000InUCAU.html +4. If the FSAA system scan hangs on a specific network share, allow the scan to complete past that share and monitor the job. If the scan hangs again, generate a process dump on the FSAA proxy host using the steps in [this documentation](https://helpcenter.netwrix.com/bundle/z-kb-articles-salesforce/page/kA04u0000000InUCAU.html). diff --git a/docs/kb/general/troubleshooting-and-errors/spac-bulk-import-error.md b/docs/kb/general/troubleshooting-and-errors/spac-bulk-import-error.md index 020752cbbd..3dcf58a256 100644 --- a/docs/kb/general/troubleshooting-and-errors/spac-bulk-import-error.md +++ b/docs/kb/general/troubleshooting-and-errors/spac-bulk-import-error.md @@ -24,7 +24,7 @@ knowledge_article_id: kA0Qk0000001PxFKAU ## Issue -SPAC Bulk Import is prompting the below error: +The SharePoint Activity Auditing (SPAC) Bulk Import job shows the following error: ```text ERROR  SHAREPOINTACCESS  Netwrix.StealthAUDIT.DataCollectors.Tasks.Task.StartExecute  "[C:8] Unable to perform bulk import Error: The MERGE statement conflicted with the FOREIGN KEY constraint "FK_SA_SPAC_GroupMembershipChanges_HOST_ID". The conflict occurred in database "Access Analyzer", table "dbo.SA_SPAC_ActivityEvents". The statement has been terminated."  POINT32HEALTH.SHAREPOINT.COM  DCExtract  8640  6516  6284 @@ -32,8 +32,8 @@ ERROR  SHAREPOINTACCESS  Netwrix.StealthAUDIT.DataCollectors.Tasks.Task. ## Cause -The SPAC Bulk Import was unable to be completed due to a foreign key constraint merge between the SP_SPAC_GroupMembershipChanges table and the SA_SPAC_ActiviyEvents table. +The SPAC Bulk Import could not complete due to a foreign key constraint conflict between the SP_SPAC_GroupMembershipChanges table and the SA_SPAC_ActiviyEvents table. ## Resolution -We removed all SPAA and SPAC tables since there's a 180-day retention period on SP activity. Once all tables were removed from the database we then reran the SPSEEK jobs and verified that the tables were repopulated on the database. We suggest allowing these scans to run and monitor the SPAC bulk import job. After monitoring the job it was confirmed that the SPAC Bulk Import job was successful. +Remove all SharePoint Access Auditing (SPAA) and SPAC tables — there is a 180-day retention period on SharePoint activity. After removing the tables, rerun the SharePoint Sensitive Data Discovery Auditing (SPSEEK) jobs and verify that the tables are repopulated in the database. Allow these scans to run and monitor the SPAC Bulk Import job to confirm it completes successfully. diff --git a/docs/kb/passwordpolicyenforcer/ppe-supportability.md b/docs/kb/passwordpolicyenforcer/ppe-supportability.md new file mode 100644 index 0000000000..6d8be1ffcc --- /dev/null +++ b/docs/kb/passwordpolicyenforcer/ppe-supportability.md @@ -0,0 +1,140 @@ +--- +title: "Understanding Password Policy Enforcer Supportability" +description: >- + Defines support levels for Password Policy Enforcer versions, including which + versions receive bug fixes, security patches, and configuration assistance. +sidebar_label: PPE Supportability +sidebar_position: 0 +keywords: + - PPE supportability + - Password Policy Enforcer support policy + - supported versions + - bug fix policy + - security patch policy + - version support lifecycle + - active support + - limited support + - discontinued support + - upgrade + - PPE +products: + - password_policy_enforcer +tags: + - kb +--- + +# Understanding Password Policy Enforcer Supportability + +## Overview + +Netwrix Password Policy Enforcer (PPE) helps customers enforce consistent password policies. This article defines what level of support you can expect based on the version of PPE you are running, and sets clear expectations for how bug fixes, security patches, and configuration assistance are provided. + +Only the latest available version of PPE receives active bug-fix support. The previous major version (N−1) receives configuration guidance and security vulnerability fixes. Versions older than N−1 are out of support entirely. + +--- + +### Currently Supported Versions + +The latest version of PPE is always the definitive reference — check the [Netwrix Customer Portal](https://www.netwrix.com/support.html) for the current release. + +| Version Track | Example | Support Level | Bug Fixes | Security Fixes | Config Advice | +|---|---|---|---|---|---| +| Latest (N) | 11.x (current) | Active Support | Yes | Yes | Yes | +| Previous Major (N−1) | 10.x | Limited Support | No | Yes | Yes | +| All Earlier Versions | 9.x and below | Discontinued | No | No | No | + +--- + +### Support Level Definitions + +#### Active Support (Latest Version) + +The latest version of PPE — always available in the Netwrix Customer Portal — is the only version in Active Support. A version in Active Support: + +- Receives bug fixes and defect resolutions +- Receives security vulnerability patches +- Is eligible for full technical support assistance from Netwrix +- Is eligible for professional services assistance +- Is the only version against which Netwrix engineers will test and verify reported issues + +> **NOTE:** All PPE components — the PPE Server, Client, Configuration Console, and PPE Web — ship together as a single release. To be on the latest version, all components must be upgraded together. A mixed-version deployment (for example, latest Server with an older Console) is not a supported configuration. + +#### Limited Support (N−1: Previous Major Version) + +The previous major version of PPE receives Limited Support. This means: + +- Netwrix will not develop or ship new bug fixes for this version. +- Netwrix will patch security vulnerabilities discovered in this version. +- Netwrix support engineers will provide configuration guidance to help you get the best results from your existing installation. +- Netwrix will only investigate bug reports on N−1 if you can first reproduce and confirm the issue on the latest version — if confirmed, a fix will target the latest version only. +- Professional services assistance is available for existing configurations, but not for new customizations. + +Netwrix will work with you on your existing installation and help you configure your environment effectively. Netwrix strongly recommends upgrading to the latest version and will raise this recommendation on every interaction. Upgrades take time, and Netwrix will continue to provide guidance during this period. + +#### Discontinued Support (N−2 and Earlier) + +Any version of PPE that is two or more major versions behind the current release is fully out of support. This means: + +- No bug fixes, security patches, or updates of any kind +- Not eligible for technical support assistance +- Not eligible for professional services assistance +- Not available for download in the Netwrix Customer Portal + +Customers on discontinued versions must upgrade to a supported version to receive any assistance. The Netwrix support team can provide guidance on the upgrade path. + +--- + +### PPE Components and Version Alignment + +PPE is composed of the following components, which are released and versioned together: + +| Component | Description | +|---|---| +| PPE Server | Core enforcement engine, installed on domain controllers | +| PPE Client | End-user-facing component providing password feedback at the workstation | +| Configuration Console | Administrative UI for managing password policies | +| PPE Web | Web-based interface for self-service password changes and resets | + +All four components ship as a single versioned release. For a deployment to be considered fully on the latest version — and therefore eligible for Active Support and bug fixes — all components must be upgraded to the same current release. Running mismatched component versions is not a supported configuration and may result in unpredictable behavior. + +--- + +## Instructions + +### For Customers on the Latest Version + +If you are running the latest version of PPE with all components upgraded: + +- You are fully supported and eligible for bug fixes, security patches, and full technical assistance. +- When reporting an issue, be prepared to describe your environment, the components involved, and steps to reproduce. +- Netwrix engineers will test against your configuration and, if confirmed, file and fix the defect. + +### For Customers on N−1 (Previous Major Version) + +If you are on the previous major version of PPE: + +- The support team will provide configuration guidance to help you work within your current version. +- If you report a bug, Netwrix will ask you to first verify whether the issue exists in the latest version (in production or a test environment). +- If the issue is confirmed in the latest version, Netwrix will develop a fix for the latest version only and will not backport it to N−1. +- Netwrix will patch security vulnerabilities for N−1. +- Netwrix will recommend upgrading to the latest version at every opportunity. + +> **NOTE:** Maintaining a small test lab with the latest PPE version allows you to verify reported issues and use the latest fixes without disrupting your production environment. + +### For Customers on N−2 or Earlier + +Customers on any version older than N−1 are not eligible for support. Netwrix strongly recommends upgrading to the latest version. The support team is available to help you plan and execute the upgrade path. + +--- + +### Upgrade Guidance and Best Practices + +Staying current with PPE is the best way to ensure your password policy enforcement is secure, effective, and fully supported. Netwrix recommends: + +- Upgrade all PPE components together when a new version is released — never mix component versions. +- Review the release notes before upgrading to understand what has changed. +- Test upgrades in a non-production environment before rolling out to your full domain. +- Plan upgrades proactively rather than reactively — waiting until you encounter an issue on an unsupported version limits your options. +- Contact the Netwrix support team if you need assistance planning your upgrade. + +Always download the latest version of PPE from the [Netwrix Customer Portal](https://www.netwrix.com/support.html). The Portal is the authoritative source for the current release and its release notes. diff --git a/docs/kb/privilegesecure/authentication-and-mfa/add-active-directory-federation-services-ad-fs-as-an-authentication-connector-saml.md b/docs/kb/privilegesecure/authentication-and-mfa/add-active-directory-federation-services-ad-fs-as-an-authentication-connector-saml.md index 2db748dc43..37bc54cd3e 100644 --- a/docs/kb/privilegesecure/authentication-and-mfa/add-active-directory-federation-services-ad-fs-as-an-authentication-connector-saml.md +++ b/docs/kb/privilegesecure/authentication-and-mfa/add-active-directory-federation-services-ad-fs-as-an-authentication-connector-saml.md @@ -13,7 +13,7 @@ keywords: - Assertion Consumer products: - privilege-secure-access-management -sidebar_label: Add Active Directory Federation Services (AD FS) a +sidebar_label: Add AD FS as a SAML Authentication Connector tags: [] title: "Add Active Directory Federation Services (AD FS) as an Authentication Connector (SAML)" knowledge_article_id: kA04u0000000HR7CAM @@ -23,7 +23,7 @@ knowledge_article_id: kA04u0000000HR7CAM ## Summary -This article outlines the process of adding Active Directory Federation Services (AD FS) to Netwrix Privilege Secure as an Authentication Connector via SAML. The article is split into two sections, *Steps for AD FS* and *Steps for Netwrix Privilege Secure*. Complete the AD FS section first. +This article explains how to add Active Directory Federation Services (AD FS) to Netwrix Privilege Secure as an Authentication Connector via SAML. This article covers two sections: *Steps for AD FS* and *Steps for Netwrix Privilege Secure*. Complete the AD FS section first. ## Instructions @@ -114,7 +114,7 @@ This article outlines the process of adding Active Directory Federation Services ### Steps for Netwrix Privilege Secure -Once the *Steps for AD FS* have been completed, take the following steps in Netwrix Privilege Secure to add AD FS as an Authentication Connector via SAML. +After completing the *Steps for AD FS*, take the following steps in Netwrix Privilege Secure to add AD FS as an Authentication Connector via SAML. 1. As a Netwrix Privilege Secure admin, navigate in Netwrix Privilege Secure to **Configuration > Authentication**, and click the green **"+"** button to add a new Authentication Connector. @@ -126,15 +126,15 @@ Once the *Steps for AD FS* have been completed, take the following steps in Netw 4. On the wizard's **Configure Client** page, enter the following values: - Signin URI: `https://.domain.com/adfs/ls` - Callback Address: `https://:6500/samlSigninCallback` - - CORS: `https://:6500` + - CORS (Cross-Origin Resource Sharing): `https://:6500` ![User-added image](./../0-images/ka04u000000wwIE_0EM4u000004bUj1.png) - Click **Test Connection**. If brought to a log-in page, click **Back** in your web browser and then **Next** in the Netwrix Privilege Secure wizard. If the page refreshes and brings you back to the Netwrix Privilege Secure wizard, click **Next** to proceed. + Click **Test Connection**. If you are redirected to a log-in page, click **Back** in your web browser, then click **Next** in the Netwrix Privilege Secure wizard. If the page refreshes and brings you back to the Netwrix Privilege Secure wizard, click **Next** to proceed. 5. Select "Unspecified" for the **Name ID Policy**, and add a certificate if required. Then, click **Login** and sign in to AD FS using Active Directory credentials. ![User-added image](./../0-images/ka04u000000wwIE_0EM4u000004bUj6.png) - When redirected back to this page after signing in to AD FS, if the message at the bottom reads "Login was successful" then click **Next**. + When AD FS redirects you back to this page after signing in, if the message reads "Login was successful", click **Next**. 6. Locate a mapping you would like to use when users sign in to Netwrix Privilege Secure using AD FS, such as an email address or UPN. ![User-added image](./../0-images/ka04u000000wwIE_0EM4u000004bUjB.png) @@ -147,9 +147,9 @@ Once the *Steps for AD FS* have been completed, take the following steps in Netw - Signout Callback URI: `https://:6500` ![User-added image](./../0-images/ka04u000000wwIE_0EM4u000004bUjL.png) - Click **Test Log Out**, then **Finish** to complete the wizard. AD FS has now been added to Netwrix Privilege Secure (via SAML) as an Authentication Connector. + Click **Test Log Out**, then **Finish** to complete the wizard. Netwrix Privilege Secure now uses AD FS (via SAML) as an Authentication Connector. -8. The last step is to navigate to specific users in Netwrix Privilege Secure's **Users & Groups** menu, and assign the AD FS SAML authenticator. +8. Navigate to specific users in Netwrix Privilege Secure's **Users & Groups** menu and assign the AD FS SAML authenticator. ![User-added image](./../0-images/ka04u000000wwIE_0EM4u000004bUjQ.png) -When using the SAML log-in option, the user will be redirected to sign in to AD FS. Upon successful authentication, the user will be redirected to the Netwrix Privilege Secure UI as their now signed-in user. +When using the SAML log-in option, the user signs in to AD FS. Upon successful authentication, Netwrix Privilege Secure redirects the user to the UI as their signed-in account. diff --git a/docs/kb/1secure/troubleshooting/troubleshoot_failed_action_service_connections_to_windows_resources_psremotingwinrm.md b/docs/kb/privilegesecure/troubleshooting-and-errors/troubleshoot_failed_action_service_connections_to_windows_resources_psremotingwinrm.md similarity index 78% rename from docs/kb/1secure/troubleshooting/troubleshoot_failed_action_service_connections_to_windows_resources_psremotingwinrm.md rename to docs/kb/privilegesecure/troubleshooting-and-errors/troubleshoot_failed_action_service_connections_to_windows_resources_psremotingwinrm.md index dc93884e00..a250db4a01 100644 --- a/docs/kb/1secure/troubleshooting/troubleshoot_failed_action_service_connections_to_windows_resources_psremotingwinrm.md +++ b/docs/kb/privilegesecure/troubleshooting-and-errors/troubleshoot_failed_action_service_connections_to_windows_resources_psremotingwinrm.md @@ -11,22 +11,22 @@ tags: title: "Troubleshoot Failed Action Service Connections to Windows Resources (PSRemoting/WinRM)" knowledge_article_id: kA04u0000000HiICAU products: - - onesecure + - privilegesecure --- # Troubleshoot Failed Action Service Connections to Windows Resources (PSRemoting/WinRM) ## Overview -The NPS Action Service is used for various workflows, including host scans and performing pre- and post-session actions. The Action Service must establish a connection via PowerShell Remoting (PSRemoting) for Windows target resources. PSRemoting is a PowerShell implementation of WinRM (Windows Remote Management). +The Netwrix Privilege Secure (NPS) Action Service handles various workflows, including host scans and pre- and post-session actions. The Action Service must establish a connection via PowerShell Remoting (PSRemoting) for Windows target resources. PSRemoting is a PowerShell implementation of WinRM (Windows Remote Management). -Several variables could affect the successful connection of the NPS Action Service to the target Windows resource via PSRemoting. This article outlines some of those variables and provides ways to troubleshoot and resolve them to establish a connection. +Several variables can affect whether the NPS Action Service connects to the target Windows resource via PSRemoting. This article describes those variables and steps to resolve them. ## Instructions Before running tests, complete the following steps on the target resource: -### Verify PSRemoting and WinRM are enabled +### Verify PSRemoting and WinRM Are Enabled In PowerShell, run the following command: @@ -77,19 +77,19 @@ Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this WinRM firewall exception enabled. ``` -### Verify ports +### Verify Ports -Verify that ports 5985 (HTTP) and/or 5986 (HTTPS) are open in the Windows firewall and any network firewalls. These ports are used for WinRM communications for HTTP and HTTPS, respectively. +Verify that ports 5985 (HTTP) and/or 5986 (HTTPS) are open in the Windows firewall and any network firewalls. WinRM uses these ports for HTTP and HTTPS communications, respectively. -### Review Group Policy settings +### Review Group Policy Settings -There are Group Policy settings used to filter the origin of WinRM requests via both IPv4 and IPv6 filters. If issues with PSRemoting/WinRM communications persist even after enabling PSRemoting/WinRM and verifying firewall settings, it is possible that the IP filter in Group Policy is affecting the communication. +Group Policy settings filter the origin of WinRM requests via IPv4 and IPv6 filters. If issues with PSRemoting/WinRM communications persist after enabling PSRemoting/WinRM and verifying firewall settings, the IP filter in Group Policy may be affecting the communication. Learn more about the **Allow remote server management through WinRM** Group Policy setting in [Configure Remote Management in Server Manager − Enabling or Disabling Remote Management ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/windows-server/administration/server-manager/configure-remote-management-in-server-manager#enabling-or-disabling-remote-management). ![Windows Group Policy: Allow remote server management through WinRM](./../0-images/servlet_image_16fc9e2e2432.png) -### Allow full control to Remote Management Users +### Allow Full Control to Remote Management Users Review the access permissions set up for Remote Management Users by running the following command in elevated PowerShell: @@ -97,7 +97,7 @@ Review the access permissions set up for Remote Management Users by running the Get-PSSessionConfiguration -Name Microsoft.PowerShell ``` -Review the permissions of the **BUILTIN\Remote Management Users** group under the **Permission** section. If set to **AccessDenied**, then authenticated network users (i.e., remote PSRemoting requests) will be denied access even if credentials and other variables are correct. +Review the permissions of the **BUILTIN\Remote Management Users** group under the **Permission** section. If the permission is **AccessDenied**, authenticated network users (i.e., remote PSRemoting requests) cannot connect, even if credentials and other variables are correct. **Solution:** Run the following command in elevated PowerShell to review and change permissions for Remote Management Users: @@ -130,7 +130,7 @@ test\admin The output indicates that the credentials used can run remote PowerShell commands on the target resource from the Action Service server via WinRM. -## Related articles +## Related Articles [Configure Remote Management in Server Manager − Enabling or Disabling Remote Management ⸱ Microsoft 🡥](https://learn.microsoft.com/en-us/windows-server/administration/server-manager/configure-remote-management-in-server-manager#enabling-or-disabling-remote-management) diff --git a/docs/kb/privilegesecurediscovery/authentication-and-access/saml-assertion-not-yet-valid.md b/docs/kb/privilegesecurediscovery/authentication-and-access/saml-assertion-not-yet-valid.md index a3a752f023..22140a4383 100644 --- a/docs/kb/privilegesecurediscovery/authentication-and-access/saml-assertion-not-yet-valid.md +++ b/docs/kb/privilegesecurediscovery/authentication-and-access/saml-assertion-not-yet-valid.md @@ -23,7 +23,7 @@ sfdc_migration: original_categories: - privilege_secure_discovery visibility: public -sidebar_label: SAML Assertion not yet Valid +sidebar_label: SAML Assertion Not Yet Valid tags: [] title: "SAML Assertion not yet Valid" knowledge_article_id: kA04u00000110p6CAA @@ -45,7 +45,7 @@ SAML assertion not yet valid In ADFS add the `NotBeforeSkew` value to the relying party on the ADFS server. The number after `NotBeforeSkew` represent the number of minutes to skew the `NotBeforeValue`, so a setting of 3 would result in a `NotBefore` of -3 minutes. -This is the PowerShell command to set `NotBeforeSkew`: +Use the following PowerShell command to set `NotBeforeSkew`: ```powershell Set-ADFSRelyingPartyTrust -TargetIdentifier "" -NotBeforeSkew 3" diff --git a/docs/kb/threatmanager/configuration-and-administration/net_dependencies_for_netwrix_threat_manager.md b/docs/kb/threatmanager/configuration-and-administration/net_dependencies_for_netwrix_threat_manager.md index e1b31bcd87..d165989910 100644 --- a/docs/kb/threatmanager/configuration-and-administration/net_dependencies_for_netwrix_threat_manager.md +++ b/docs/kb/threatmanager/configuration-and-administration/net_dependencies_for_netwrix_threat_manager.md @@ -25,7 +25,7 @@ Which version of .NET is required for Netwrix Threat Manager? ## Answer -ASP.NET Core 8.0.11 (or newer) and .NET Desktop Runtime 8.0.11 (or newer) are required. You can also navigate to the [Netwrix Threat Manager Requirements](https://docs.netwrix.com/docs/threatmanager/3_0/requirements/server) located under **Getting Started**. +Netwrix Threat Manager requires ASP.NET Core 8.0.11 (or newer) and .NET Desktop Runtime 8.0.11 (or newer). See also [Netwrix Threat Manager Requirements](https://docs.netwrix.com/docs/threatmanager/3_0/requirements/server) in **Getting Started**. > **NOTE:** .NET Framework is not the same as ASP.NET Core, and having one does not mean you have the other. ASP.NET Core and .NET Desktop Runtime should show on the list of installed Apps & features; however, .NET Framework does not appear on that list. You can check which versions of .NET Framework you have installed by running the following command in PowerShell: diff --git a/docs/passwordpolicyenforcer/11.1/gettingstarted.md b/docs/passwordpolicyenforcer/11.1/gettingstarted.md index 425e437be9..0377099068 100644 --- a/docs/passwordpolicyenforcer/11.1/gettingstarted.md +++ b/docs/passwordpolicyenforcer/11.1/gettingstarted.md @@ -10,19 +10,19 @@ Review the [Domain and Local Policies](/docs/passwordpolicyenforcer/11.1/install ## Install Products -Password Policy Enforcer (PPE Server) is installed on every domain controller to enforce the +Install Password Policy Enforcer (PPE Server) on every domain controller to enforce the password policy for domain user accounts, or on individual servers and workstations to enforce the password policy for local user accounts. See the [Install Password Policy Enforcer on a Server](/docs/passwordpolicyenforcer/11.1/installation/installationserver.md) or [Install with Group Policy Management](/docs/passwordpolicyenforcer/11.1/installation/installationgpm.md) topics for additional information. -The Configuration Console can be installed on what ever servers are convenient for you to access. It +You can install the Configuration Console on whatever servers are convenient for you to access. It is a selectable feature in the server installation **msi** package. See the [Install Password Policy Enforcer on a Server](/docs/passwordpolicyenforcer/11.1/installation/installationserver.md) topic for additional information. -The Mailer Service is installed on a single server in each domain. See the +Install the Mailer Service on a single server in each domain. See the [Install Password Policy Enforcer on a Server](/docs/passwordpolicyenforcer/11.1/installation/installationserver.md) topic for additional information. @@ -36,18 +36,18 @@ Password Policy Enforcer Web is a separate product enabling users to change thei password from a web browser. See the [Password Policy Enforcer Web](/docs/passwordpolicyenforcer/11.1/web-overview/web_overview.md) topic for additional information. -Create the **Compromised Passwords Base** prior to enabling the Compromised Password Check. See the +Create the **Compromised Passwords Base** before enabling the Compromised Password Check. See the [HIBP Updater](/docs/passwordpolicyenforcer/11.1/installation/hibpupdater.md) topic for additional information. -## Exclude PPE Files from AntiVirus Checks +## Exclude PPE Files from AntiVirus Checks **Domain Controller** -**PPE.DLL** if this file does not load, the password policy is not enforced. +**PPE.DLL** if this file doesn't load, PPE cannot enforce the password policy. **Clients** -**PPEClt.dll** and **APRClt.dll** if either of these files are blocked, the client does not run. +**PPEClt.DLL** if this file doesn't load, the client doesn't run. ## Next Steps diff --git a/docs/passwordreset/3.3/administration/securing_password_reset.md b/docs/passwordreset/3.3/administration/securing_password_reset.md index efee67016c..8acdfee2bd 100644 --- a/docs/passwordreset/3.3/administration/securing_password_reset.md +++ b/docs/passwordreset/3.3/administration/securing_password_reset.md @@ -6,8 +6,7 @@ sidebar_position: 60 # Securing Password Reset -Password Reset has many inbuilt security features, but there are some things you should do to secure -Password Reset. The most important of these is to install an SSL certificate for the Web Interface. +Password Reset has many built-in security features, but you should take additional steps to secure it. The most important of these is to install an SSL certificate for the Web Interface. You can also set up a standard user account with delegated permissions for the Password Reset Server. @@ -62,9 +61,7 @@ The commands you need to execute are: Where [object] is the distinguished name of the domain or OU containing the user accounts, and [account] is the name of the service account in user@domain or domain\user format. -The first two commands allow NPR to reset passwords and unlock accounts. Both commands are required -even if the Unlock item is hidden from the menu because Password Reset automatically unlocks an -account when its password is reset. The third command allows Password Reset to set **User must +The dsacls commands for Reset Password and lockoutTime allow Netwrix Password Reset (NPR) to reset passwords and unlock accounts. You need both commands even if the Unlock item doesn't appear in the menu, because Password Reset automatically unlocks an account when it resets the password. The third command allows Password Reset to set **User must change password at next logon** in Active Directory if the **Require users to change their password after a reset** option is enabled in the Configuration Console's **Security** tab. diff --git a/docs/platgovsalesforce/changemanagement/setting_up_policies.md b/docs/platgovsalesforce/changemanagement/setting_up_policies.md index 8b03d42de4..29966e3694 100644 --- a/docs/platgovsalesforce/changemanagement/setting_up_policies.md +++ b/docs/platgovsalesforce/changemanagement/setting_up_policies.md @@ -55,10 +55,10 @@ Set the required Change Level for each Metadata Type. The form shows the default | **Change Level** | **Description** | | --------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Log Changes Only | Since the scanner automatically logs all changes, this change level requires no actions for compliance. The scanner automatically marks any changes to these objects as compliant. | -| Change Request | Any changes to these objects require an Approved Change Request. | -| Sandbox Development & Testing | Any changes to these objects require an Approved Change Request in the Stage Development Project. It also requires that a parent Change Request is attached to the Development Project. | -| Full Software Development Lifecycle | Any changes to these objects require an Approved Change Request. | +| Log Changes Only | Since the scanner automatically logs all changes, this change level requires no actions for compliance. The scanner automatically marks any changes to these components as compliant. | +| Change Request | Any changes to these components require an Approved Change Request. | +| Sandbox Development & Testing | Any changes to these components require an Approved Change Request in the Stage Development Project. It also requires that you attach a parent Change Request to the Development Project. | +| Full Software Development Lifecycle | Any changes to these components require an Approved Change Request in the Stage Deployment Record or Rollback Record. | ### Code and Data Model Changes @@ -92,11 +92,7 @@ Set the required Change Level for each Metadata Type. The form shows the default ![Control Change Levels](/images/platgovsalesforce/change_management/policy_new9.webp) -Controls the change level required for different types of changes. Health Check Changes affect the -way Platform Governance handles changes for the customization records for each Salesforce Health Check group -(session settings, file upload and security settings), so you can track and report on current -settings. There is a [Health Settings](/docs/platgovsalesforce/customizations/understanding_customization_record.md) tab -for the specific records on the customization record. +Controls the change level required for different types of changes. ### Application Configuration Changes (Data) @@ -109,10 +105,13 @@ See [Set Up Data Tracking](/docs/platgovsalesforce/changemanagement/datatracking ### Health Check Changes +Health Check Changes affect the way Platform Governance handles changes for the customization records for each Salesforce Health Check group +(session settings, file upload and security settings), so you can track and report on current +settings. There is a [Health Settings](/docs/platgovsalesforce/customizations/understanding_customization_record.md) tab +for the specific records on the customization record. + ![Health Check Changes](/images/platgovsalesforce/change_management/policy_new16_a.webp) -Select the change level for **Health Check Changes**: **None**, **Log Changes Only**, **Change -Request**, **Sandbox Development & Testing**, or **Full Software Development Lifecycle**. ### IT Policies @@ -122,12 +121,11 @@ Specify the **Preliminary Approver**. Enter part of the name to see a matching l changes, you can also set a **Final Approver**. This person must approve all changes affected by the rule. -### Customization Policies +### Uncategorized Changes -![Customization Policies](/images/platgovsalesforce/change_management/policy_new12.webp) +![Uncategorized Changes](/images/platgovsalesforce/change_management/policy_new12.webp) -**Require Impacted Customization Approval**: select this option to require approval from all -impacted Customization owners. +This change control level applies to any components not included in the other categories. ### Management Policies @@ -140,19 +138,6 @@ impacted Customization owners. **No Order Required**: select this option to allow approvals in any order. If it isn't checked, approvals occur in the order specified. -### Change Enablement Defaults - -![Change Enablement Defaults](/images/platgovsalesforce/change_management/policy_new15.webp) - -**Merge Approval Lists**: select this option to merge lists when multiple policies apply to a -change. - -**Sequential Approval Requests**: select this option to send approval emails one at a time as each -approver approves the change. If not checked, all approvers receive the approval emails at the same -time. - -**Non-conforming Customization Alerts**: select this option to alert Customization Owners if there -is a non-conforming change to their Customization. ## Related @@ -216,4 +201,4 @@ available on the **Related** tab on the policy. 5. Click the right arrow to add selections to the **Selected Salesforce Type List**. Click the left arrow to remove items from the selected list. 6. Click **Save** when complete. A confirmation dialog appears. Click **OK** to confirm you - want to add all of the customizations from the selected Salesforce types. + want to add all the customizations from the selected Salesforce types. diff --git a/docs/platgovsalesforce/installingstrongpoint/installing_strongpoint.md b/docs/platgovsalesforce/installingstrongpoint/installing_strongpoint.md index 97541a1549..288dd19ed5 100644 --- a/docs/platgovsalesforce/installingstrongpoint/installing_strongpoint.md +++ b/docs/platgovsalesforce/installingstrongpoint/installing_strongpoint.md @@ -6,8 +6,7 @@ sidebar_position: 10 # Install Platform Governance for Salesforce -Platform Governance for Salesforce is installed with package installation file sent to you by our -customer success team. To install: +The Netwrix customer success team sends you a package installation file. To install Platform Governance for Salesforce: 1. Click the install URL. If installing in the sandbox, replace the initial portion of the URL with [http://test.salesforce.com](http://test.salesforce.com) @@ -16,8 +15,7 @@ customer success team. To install: ![install1](/images/platgovsalesforce/installing_strongpoint/install1.webp) :::note -The installation runs in the background. An email notification is sent to you when the installation -is complete. +The installation runs in the background. You receive an email notification when the installation completes. ::: ## Configure Authentication @@ -26,11 +24,11 @@ After installing the package, you need to configure authentication credentials. ### Recommended: Named Credential Authentication (OAuth) -**This is the recommended approach** for all organizations, and is **required** when High Assurance is enabled on user profiles. +**This is the recommended approach** for all organizations, and is **required** when user profiles have High Assurance enabled. Named Credentials provide: - **High Assurance compatibility** - Required when Salesforce profiles have High Assurance enabled -- **Independent authentication** - Does not rely on specific user credentials, improving security and reliability +- **Independent authentication** - Doesn't rely on specific user credentials, improving security and reliability - **Automatic token refresh** - No session expiration issues - **Enhanced security** - Limited OAuth scopes instead of full user permissions @@ -40,13 +38,13 @@ For detailed step-by-step instructions on configuring Named Credentials with Ext ### Legacy: Session ID Authentication -The traditional method uses direct user credentials (username, password, and security token) to authenticate API calls. **This method does not require a Connected App**, but has significant limitations: +The traditional method uses direct user credentials (username, password, and security token) to authenticate API calls. **This method doesn't require a Connected App**, but has significant limitations: -- **Does not work with High Assurance** - Fails when High Assurance is enabled on user profiles -- **User-dependent** - Relies on specific user credentials; if using this method, we recommend creating a dedicated Integration User for this purpose +- **Doesn't work with High Assurance** - Fails when user profiles have High Assurance enabled +- **User-dependent** - Relies on specific user credentials; if using this method, Netwrix recommends creating a dedicated Integration User for this purpose :::warning High Assurance Incompatibility -If your Salesforce organization has **High Assurance enabled on user profiles**, you **must** use the Named Credential authentication method. Session ID authentication will not work with High Assurance. While High Assurance is often associated with MFA requirements, it is the High Assurance setting itself that makes Named Credentials mandatory. +If your Salesforce organization has **High Assurance enabled on user profiles**, you **must** use the Named Credential authentication method. Session ID authentication will not work with High Assurance. While many organizations associate High Assurance with MFA requirements, the High Assurance setting itself makes Named Credentials mandatory. :::
@@ -55,18 +53,18 @@ If your Salesforce organization has **High Assurance enabled on user profiles**, This method uses direct user credentials without requiring a Connected App setup. **Requirements:** -- Salesforce **username** (we recommend using a dedicated Integration User) +- Salesforce **username** (Netwrix recommends using a dedicated Integration User) - Salesforce **password** - Salesforce **security token** (obtained from user settings) **Configuration:** -The credentials are entered directly in the Platform Governance application during the Getting Started Wizard. No Connected App or OAuth configuration is needed. +Enter the credentials directly in the Platform Governance application during the Getting Started Wizard. You don't need a Connected App or OAuth configuration. **Best Practice:** When using Session ID authentication, create a dedicated Integration User specifically for Platform Governance. This approach provides better control and reduces dependencies on individual user accounts. **Limitations:** -- Cannot be used if High Assurance is enabled on user profiles +- Doesn't work when user profiles have High Assurance enabled - Depends on specific user credentials, creating maintenance overhead - Not suitable for organizations with High Assurance requirements @@ -74,7 +72,9 @@ When using Session ID authentication, create a dedicated Integration User specif ## Assign Permission Set to Users -After configuring authentication, you must assign the required Permission Set to users who will access Platform Governance for Salesforce. +After configuring authentication, you must assign the required Permission Set to users who will access Platform Governance for Salesforce, and to any users running scheduled jobs or background processes the application requires. + +This is required because the Permission Set grants access to the data and system processes Platform Governance uses, including metadata scanning and other automated operations. ### Assign Netwrix Grant Permissions @@ -90,12 +90,12 @@ After configuring authentication, you must assign the required Permission Set to 7. Click **Done** :::note Required Permission Set -The **Netwrix Grant Permissions** permission set is required for all users who will access the Netwrix Lightning application. Without this permission set, users will not be able to use Platform Governance for Salesforce. +All users who access the Netwrix Lightning application need the **Netwrix Grant Permissions** permission set. Without this permission set, users cannot use Platform Governance for Salesforce. ::: ### Verify Permission Assignment -To verify that the permission set has been assigned correctly: +To verify that you assigned the permission set correctly: 1. Navigate to **Setup** > **Users** > **Users** 2. Click a user who should have access @@ -113,7 +113,7 @@ After configuring authentication (either Named Credentials or Session ID), acces ![eula](/images/platgovsalesforce/installing_strongpoint/eula.webp) -You are now ready to begin using Platform Governance for Salesforce. +You can now use Platform Governance for Salesforce. ## Next Steps @@ -124,4 +124,4 @@ After completing the installation and authentication setup: - **Legacy:** Session ID setup - Only for organizations without High Assurance 2. **Initial Configuration:** - - [Run the Getting Started Wizard](using_getting_started_wizard.md) \ No newline at end of file + - [Run the Getting Started Wizard](using_getting_started_wizard.md) diff --git a/docs/privilegesecure/4.2/admin/configuration/integrationconnector/integrationbyov/byovconnectorconfig.md b/docs/privilegesecure/4.2/admin/configuration/integrationconnector/integrationbyov/byovconnectorconfig.md index c1a2300041..e12d4b2ff1 100644 --- a/docs/privilegesecure/4.2/admin/configuration/integrationconnector/integrationbyov/byovconnectorconfig.md +++ b/docs/privilegesecure/4.2/admin/configuration/integrationconnector/integrationbyov/byovconnectorconfig.md @@ -7,13 +7,12 @@ sidebar_position: 10 # Bring Your Own Vault (BYOV) Connector Configuration This topic walks through the steps necessary to configure Netwrix Privilege Secure as a BYOV -Integration Connector that can be used to perform activities as a specific user account. This can be -done with accounts managed by Privilege Secure, or with accounts stored inside of a Secret Vault +Integration Connector you can use to perform activities as a specific user account. This can be +done with accounts managed by Privilege Secure, or with accounts stored in a Secret Vault within Privilege Secure. Use this workflow to bypass the default "Enable Account" and "Disable Account" pre-session and -post-session actions. In the case of a Secret Vault credential, when it is necessary to use an -unmanaged account for an activity. +post-session actions, or when you need to use an unmanaged Secret Vault credential for an activity. ## Set Up an Integration Connector @@ -22,8 +21,8 @@ Ensure that the account you wish to use for your activity is managed by Privileg contained within a Secret Vault resource in Privilege Secure. :::note -For managed accounts, ensure that the account has been rotated at least once since being -managed. Otherwise, there will be no vaulted password in the Netwrix Privilege Secure database. +For managed accounts, ensure you have rotated the account password at least once since managing +it. Otherwise, there will be no vaulted password in the Netwrix Privilege Secure database. ::: @@ -178,7 +177,7 @@ information on configuring a BYOV connector. ### Create a User -Once the integration connector has been configured, create a manually-managed user. +After you configure the integration connector, create a manually-managed user. Follow the steps to create a manually-managed user. @@ -204,7 +203,7 @@ creating a managed account. ### Set the Account Password -Once the account has been manually managed, the password must be set for the account. The following +After you manually manage the account, set the password for it. The following icons should be visible: Wrench (Set Password), Clipboard (Copy Password to Clipboard), and Information (View Password). @@ -222,8 +221,7 @@ account. **Step 3 –** Enter a password to match the AD password, then click **Save**. :::note -For versions before Privilege Secure 4.1, a support ticket will be needed as the Set -Password feature is not available. +For versions before Privilege Secure 4.1, [contact Support](https://netwrix.com/en/support/) because the Set Password feature is not available. ::: @@ -233,7 +231,7 @@ topic for additional information on manually managing an account. ### Create an Activity -Once the password has been set for the account, create an activity for the BYOV connector. +After you set the password for the account, create an activity for the BYOV connector. Follow the steps to create an activity. @@ -275,7 +273,7 @@ Activity. ### Configure a New Policy -Once an Activity has been created, configure a new Policy. +After you create an Activity, configure a new Policy. Follow the steps to create a Policy. @@ -314,6 +312,6 @@ management. ![My Activities BYOV Connector](/images/privilegesecure/4.2/accessmanagement/admin/configuration/add/byovconnectormyactivities.webp) :::tip -Remember, Always verify configurations and permissions, especially when integrating with systems +Verify configurations and permissions, especially when integrating with systems like AD and using specific user accounts for critical operations. ::: diff --git a/docs/threatmanager/3.0/threats/overview.md b/docs/threatmanager/3.0/threats/overview.md index cd97cd3c94..c890dfb9b9 100644 --- a/docs/threatmanager/3.0/threats/overview.md +++ b/docs/threatmanager/3.0/threats/overview.md @@ -6,10 +6,7 @@ sidebar_position: 30 # Type of Threats -Netwrix Threat Manager by default provides some pre-configured threats and users can create custom -threats using the Custom option or through the Create Threat option on the Investigation page. The -pre-defined and custom threats are listed in the Threat box. Threats that are crossed out are -disabled threats. +Netwrix Threat Manager provides pre-configured threats by default. Create custom threats using the Custom option or the Create Threat option on the Investigation page. The Threat box lists pre-defined and custom threats. Crossed-out threats are disabled. ![Threats Box](/images/threatmanager/3.0/threats/threatsbox.webp) diff --git a/docs/threatmanager/3.1/administration/configuration/integrations/activedirectorysync.md b/docs/threatmanager/3.1/administration/configuration/integrations/activedirectorysync.md index 11ff46ef69..1a8fd7cd76 100644 --- a/docs/threatmanager/3.1/administration/configuration/integrations/activedirectorysync.md +++ b/docs/threatmanager/3.1/administration/configuration/integrations/activedirectorysync.md @@ -6,8 +6,7 @@ sidebar_position: 10 # Active Directory Sync Page -The Active Directory Sync page within the Integrations interface lists the domains that are synced -to the Threat Manager database. The sync operation gets all information about an Active Directory +The Active Directory Sync page within the Integrations interface lists the Active Directory domains synced to the Threat Manager database. The sync operation gets all information about an Active Directory environment (users, groups, hosts, etc). See the [Permissions for Active Directory Sync ](/docs/threatmanager/3.1/requirements/permissions/adsync.md) topic for additional information about the permissions required for Active Directory syncing. @@ -21,7 +20,7 @@ Directory domains, if any. Each added domain represents a sync policy. ![Integrations interface on the Active Directory Sync page](/images/threatmanager/3.0/administration/configuration/integrations/page.webp) A service named Active Directory Service continuously runs to collect data for the specified -domain(s). It evaluates the USN value of an object and syncs when the object changes. The table +domain(s). It evaluates the Update Sequence Number (USN) of an object and syncs when the object changes. The table provides the following information: - Name – Name of the domain. This may be either the domain DNS name or domain controller hostname. @@ -161,15 +160,14 @@ The Domain Configuration tab displays the following settings: article for additional information. - Perform a full scan on next run – Indicates whether the next sync will only look for domain changes or run a full scan of the domain. By default, this option is enabled for the first sync - executed when a new domain is added; however, it is disabled automatically after the first sync. + executed when a new domain is added; however, the system disables it automatically after the first sync. This can be used to fully refresh domain information, but is typically not needed for normal operation. - Test Connection – Click **Test Connection** to ensure connection to the domain. This will take a moment. Then a message will appear in the upper right corner of the console indicating a successful or failed connection. -The Save button is enabled when any settings are modified. Click it to commit the changes before -leaving the page. +The Save button activates when you modify any settings. Click it to commit the changes before leaving the page. ### Sync History Tab @@ -190,7 +188,7 @@ The table provides the following information: - Computers Changed – Number of computer objects with changes detected since the last sync - Status – Event status for the sync task -The table is designed to display 10 records at a time, by default. However, you can set this to 50, +By default, the table displays 10 records at a time. However, you can set this to 50, 100, or 1,000 rows with the drop-down menu above the right corner of the table. There is a search box above the left corner of the table. Page navigation buttons are below the table. You can also export the data from the current page using the **Export CSV** button. @@ -238,4 +236,4 @@ full scan of the domain. **Step 9 –** The Save button is enabled when any settings are modified. Click it to commit the changes before leaving the page. -The changes to the Domain Configuration have been saved. +Netwrix Threat Manager saves the Domain Configuration changes. diff --git a/docs/threatmanager/3.1/administration/configuration/systemsettings/useraccess.md b/docs/threatmanager/3.1/administration/configuration/systemsettings/useraccess.md index 4c1fb59ccc..535bc8bb30 100644 --- a/docs/threatmanager/3.1/administration/configuration/systemsettings/useraccess.md +++ b/docs/threatmanager/3.1/administration/configuration/systemsettings/useraccess.md @@ -11,31 +11,26 @@ assigned roles for console access. ![System Settings interface on the User Access page](/images/threatmanager/3.0/administration/configuration/systemsettings/page.webp) -Roles are assigned by the following methods: +Assign roles using one of the following methods: -- Group Membership – Members of the group will be given the role assigned +- Group Membership – Members of the group receive the assigned role :::note - If a user is a member of multiple assigned groups, the group with the highest level of - privilege is assigned + If a user belongs to multiple assigned groups, the system assigns the group with the highest privilege level. ::: - Direct User Assignment – Assigns a role directly to a user :::note - If a user is assigned a role directly, it takes priority over any group membership - roles that have been assigned + If a user is assigned a role directly, it takes priority over any group membership roles. ::: The User Access page includes the following sections: -- Users & Groups – It provides the ability to allow or deny console access and configure - authentication types for users and groups. See the Users & Groups topic for additional - information. -- Settings – It provides the ability to customize the user login page and configure the token - expiration time for authenticated users. See the Settings topic for additional information. +- Users & Groups – Allows or denies console access and configures authentication types for users and groups. See the Users & Groups topic for additional information. +- Settings – Customizes the user login page and configures the token expiration time for authenticated users. See the Settings topic for additional information. ## Users & Groups @@ -65,7 +60,7 @@ The table displays the following information: Authentication Types Defined topic for additional information. - Action – This column has the following icons for conducting actions on the user or group: - - Edit icon – Allows you to edit the columns in the selected row by enabling drop-down menus. + - Edit icon – Opens drop-down menus to edit the columns in the selected row. The edit icon changes to a save icon while in edit mode. See the Edit Console Access topic for additional information. - Trash icon – Opens a Warning window to confirm the action of deleting the user or group. @@ -137,9 +132,8 @@ The following authentication types can be assigned to users and groups: solution (Authenticator, DUO, etc.) - No MFA – This type uses only an Active Directory username and password for authentication - Authentication Provider Profiles – This type enables third-party authentication providers using - RADIUS, OpenID, and SAML integrations. Methods of authentication will vary based on the - third-party authentication provider. This must be configure in the Authentication Provider page of - the Integrations interface in order to be available for user assignment. + Remote Authentication Dial-In User Service (RADIUS), OpenID, and SAML integrations. Authentication methods vary based on the + third-party authentication provider. Configure this in the Authentication Provider page of the Integrations interface before assigning it to users. See the [Authentication Provider Page](/docs/threatmanager/3.1/administration/configuration/integrations/page/page.md) topic for additional information. @@ -197,7 +191,7 @@ Type for this user or group. **Step 4 –** Click the Save icon, which replaced the Edit icon. -The modification for the selected user or group is committed. +The modification applies to the selected user or group. ### Edit Built-in Admin Password @@ -219,7 +213,7 @@ built-in ADMIN account. The Edit password for built-in admin window opens. **Step 6 –** Click Save. The Edit password for built-in admin window closes. -The password for the built-in ADMIN account has been updated. +Netwrix Threat Manager updates the built-in ADMIN account password. ## Settings diff --git a/docs/threatprevention/7.5/requirements/eperestsite.md b/docs/threatprevention/7.5/requirements/eperestsite.md index 99de076ab1..3678b00ea5 100644 --- a/docs/threatprevention/7.5/requirements/eperestsite.md +++ b/docs/threatprevention/7.5/requirements/eperestsite.md @@ -6,16 +6,14 @@ sidebar_position: 60 # EPE Rest Site Requirements -Requirements for the EPE Rest Site are the same as documented for the Netwrix Threat Manager -Reporting Module. See the [Reporting Module Server Requirements](/docs/threatprevention/7.5/requirements/reportingserver.md) topic for -additional information. +The Enterprise Password Enforcer (EPE) Rest Site has the same requirements as the Netwrix Threat Manager Reporting Module. See [Reporting Module Server Requirements](/docs/threatprevention/7.5/requirements/reportingserver.md) for additional information. The following additional component is required: - Internet Information Services (IIS) v6 or higher You can install the EPE Rest Site on the Netwrix Threat Manager Reporting Module server. To install -it on a different machine, make sure the following is installed as a prerequisite: +it on a different machine, first install these prerequisites: - DotNet 4.5.2 or higher - ASP.NET 4.5 or higher @@ -26,14 +24,11 @@ While installing the EPE Rest Site, the installer requires an SQL Server instanc store locally hosted accounts to authenticate. The EPE Rest Site creates a database named “EpeUsers” with ASP.NET related tables to manage such local accounts. -The EPE Rest Site database can reside on the same instance of the SQL Server as the Threat -Prevention database or a separate instance (such as a free instance of SQL Express) that can be -installed locally on the machine where the EPE Rest Site is installed. +The EPE Rest Site database can reside on the same SQL Server instance as the Threat Prevention database, or on a separate instance (such as a local SQL Express instance) on the EPE Rest Site machine. :::note -The “EpeUsers” database is not created during the installation, but when you create the -first “internal” account. +The installer creates the “EpeUsers” database when you create the first “internal” account, not during installation. ::: -The database is not deleted when you uninstall the EPE Rest Site. +Uninstalling the EPE Rest Site does not delete the database. diff --git a/src/components/VersionSwitcher/index.js b/src/components/VersionSwitcher/index.js index be4ab23f92..f8f6865d3a 100644 --- a/src/components/VersionSwitcher/index.js +++ b/src/components/VersionSwitcher/index.js @@ -15,13 +15,12 @@ export default function VersionSwitcher() { let currentVersion = null; for (const product of PRODUCTS) { - // Extract the product path segment (e.g., 'passwordsecure' from 'docs/passwordsecure') - const productPathSegment = product.path.split('/').pop(); + // Check if the URL starts with this product's path (e.g., 'docs/auditor') + const productPathParts = product.path.split('/').filter((part) => part); + const matches = productPathParts.every((part, i) => pathParts[i] === part); - // Check if this product's path segment is in the URL - const productIndex = pathParts.indexOf(productPathSegment); - - if (productIndex !== -1) { + if (matches) { + const productIndex = productPathParts.length - 1; matchedProduct = product; // Check if there's a version segment after the product diff --git a/static/images/platgovsalesforce/change_management/policy_new12.webp b/static/images/platgovsalesforce/change_management/policy_new12.webp index 6fe1180f8b..a0d7e66189 100644 Binary files a/static/images/platgovsalesforce/change_management/policy_new12.webp and b/static/images/platgovsalesforce/change_management/policy_new12.webp differ diff --git a/static/images/platgovsalesforce/change_management/policy_new4.webp b/static/images/platgovsalesforce/change_management/policy_new4.webp index e55d9110cb..76763d1bbb 100644 Binary files a/static/images/platgovsalesforce/change_management/policy_new4.webp and b/static/images/platgovsalesforce/change_management/policy_new4.webp differ