update audit ace info

b-ahibbard · b-ahibbard · commit e95717fc5c8a · 2025-07-10T11:26:21.000-04:00
diff --git a/articles/azure-netapp-files/configure-access-control-lists.md b/articles/azure-netapp-files/configure-access-control-lists.md
@@ -4,7 +4,7 @@ description: Learn how to configure access control lists (ACLs) on NFSv4.1 with
 author: b-ahibbard
 ms.service: azure-netapp-files
 ms.topic: how-to
-ms.date: 12/20/2024
+ms.date: 07/10/2025
 ms.author: anfdocs
 # Customer intent: "As a system administrator, I want to configure access control lists on NFSv4.1 volumes in Azure NetApp Files, so that I can manage fine-grained file permissions for users and groups to enhance security and control over shared resources."
 ---
@@ -48,17 +48,22 @@ To learn more about ACLs in Azure NetApp Files, see [Understand NFSv4.x ACLs](nf
     - `A:g:GROUP@:rwaDxtTnNcy` - group has full (RWX) access
     - `A::EVERYONE@:tcy` - everyone else has no access
 
-1. To modify an ACE for a user, use the `nfs4_setfacl` command: `nfs4_setfacl -a|x A|D::<user|group>:<permissions_alias> <file>`
+1. To modify an ACE for a user, use the `nfs4_setfacl` command: `nfs4_setfacl -a|x A|D|U::<user|group>:<permissions_alias> <file>`
+
     - Use `-a` to add permission. Use `-x` to remove permission.
-    - `A` creates access; `D` denies access.
+    - `A` creates access; `D` denies access. `U:` is used for audit ACEs to log access attempts. 
     - In an Active Directory-joined set up, enter an email address for the user. Otherwise, enter the numerical user ID.
-    - Permission aliases include read, write, append, execute, etc.
+    - Permission aliases include read, write, append, execute, and others. For a full list of permissions, see: [NFSv4.x permissions](nfs-access-control-lists.md#nfsv4x-permissions). 
     In the following Active Directory-joined example, user regan@contoso.com is given read, write, and execute access to `/nfsldap/engineering`:
     ```bash
     nfs4_setfacl -a A::regan@contoso.com:RWX /nfsldap/engineering
     ```
 
+    - If you're configuring an ACE for [file access logs](manage-file-access-logs.md), you must use the `U:` prefix to denote the ACE is an audit ACE. The following example configures an audit log for everyone for successful and failed access attempts:
+    `nfs4_setfacl -a U:fdiSF:EVERYONE@:rwaDdxtTnNcCoy /<mount_point>`
+
+
 ## Next steps
 
 * [Configure NFS clients](configure-nfs-clients.md)
-* [Understand NFSv4.x ACLs](nfs-access-control-lists.md).
+* [Understand NFSv4.x ACLs](nfs-access-control-lists.md)
diff --git a/articles/azure-netapp-files/manage-file-access-logs.md b/articles/azure-netapp-files/manage-file-access-logs.md
@@ -5,7 +5,7 @@ services: azure-netapp-files
 author: b-ahibbard
 ms.service: azure-netapp-files
 ms.topic: how-to
-ms.date: 04/18/2025
+ms.date: 07/10/2025
 ms.author: anfdocs
 ms.custom: references_regions
 # Customer intent: As a storage administrator, I want to enable file access logs on Azure NetApp Files volumes so that I can monitor file access operations and troubleshoot access issues effectively.
@@ -33,7 +33,7 @@ File access logs provide file access logging for individual volumes, capturing f
     * Events such as file/folder creation or deletion are key events to log. 
     * System access control list (SACL) settings for logging should be used sparingly. Frequent operations (for example, READ or GET) can have significant performance impact, but have limited logging value. It's recommended that SACL setting not log these frequent operations to conserve performance. 
     * SACL policy additions aren't currently supported with file access logs. 
-* When clubbing events such as READ/WRITE, only a handful of operation per file read or write are captured to reduce event logging rate.  
+* With clubbing events such as READ/WRITE, only a handful of operation per file read or write are captured to reduce event logging rate.  
 * File access logs support a [log generation rate metric](azure-netapp-files-metrics.md). The log generation rate shouldn't exceed 64 MiB/minute.
 
     If the rate of file access event generation exceeds 64 MiB/minute, the [Activity log](monitor-azure-netapp-files.md) sends a message stating that the rate of file access log generation is exceeding the limit. If log generation exceeds the limit, logging events can be delayed or dropped. If you're approaching this limit, disable noncritical auditing ACLs to reduce the event generation rate. As a precaution, you can [create an alert](/azure/azure-monitor/alerts/alerts-create-activity-log-alert-rule) for this event.
@@ -151,7 +151,7 @@ To enable logging access on individual files and directories, complete the follo
 
 For NFSv4.1, both discretionary and system ACEs are stored in the same ACL, not separate discretionary ACLs and SACLs. Exercise caution when adding audit ACEs to an existing ACL to avoid overwriting and losing an existing ACL. The order in which you add audit ACEs to an existing ACL doesn't matter. 
 
-**For steps**, see [Configure access control lists on NFSv4.1 volumes](configure-access-control-lists.md).
+Whe configuring the Audit ACE, ensure you use the `U:` prefix to denote it's an Audit ACE. **For steps**, see [Configure access control lists on NFSv4.1 volumes](configure-access-control-lists.md).
 
 ---
 
diff --git a/articles/azure-netapp-files/nfs-access-control-lists.md b/articles/azure-netapp-files/nfs-access-control-lists.md
@@ -5,7 +5,7 @@ services: azure-netapp-files
 author: b-ahibbard
 ms.service: azure-netapp-files
 ms.topic: concept-article
-ms.date: 02/13/2025
+ms.date: 07/10/2025
 ms.author: anfdocs
 # Customer intent: "As a system administrator managing data access in Azure NetApp Files, I want to understand NFSv4.x ACLs and their permissions so that I can effectively control access and secure our file storage while ensuring compliance with user management policies."
 ---
@@ -16,7 +16,7 @@ The NFSv4.x protocol can provide access control in the form of [access control l
 
 :::image type="content" source="./media/nfs-access-control-lists/access-control-entity-to-client-diagram.png" alt-text="Diagram of access control entity to Azure NetApp Files." lightbox="./media/nfs-access-control-lists/access-control-entity-to-client-diagram.png":::
 
-Each NFSv4.x ACL is created with the format of `type:flags:principal:permissions`.
+Each NFSv4.x ACL uses the format of `type:flags:principal:permissions`.
 
 * **Type** – the type of ACL being defined. Valid choices include Access (A), Deny (D), Audit (U), Alarm (L). Azure NetApp Files supports Access, Deny and Audit ACL types, but Audit ACLs, while being able to be set, don't currently produce audit logs.
 * **Flags** – adds extra context for an ACL. There are three kinds of ACE flags: group, inheritance, and administrative. For more information on flags, see [NFSv4.x ACE flags](#nfsv4x-ace-flags).
@@ -180,7 +180,7 @@ Administrative flags in NFSv4.x ACLs are special flags that are used only with A
 
 This Audit ACL is an example of that, where `user1` is audited for failed access attempts for any permission level: `U:F:user1@contoso.com:rwatTnNcCy`.
 
-Azure NetApp Files only supports setting administrative flags for Audit ACEs, however the ACEs don't function. Alarm ACEs aren't supported in Azure NetApp Files.
+Azure NetApp Files only supports setting administrative flags for Audit ACEs. Audit ACEs are required for [file access logs](manage-file-access-logs.md). Alarm ACEs aren't supported in Azure NetApp Files.
 
 ## NFSv4.x user and group principals
 
