Auditing "change permissions"

Hi there.


I´m trying to accomidate a customer to set up auditing on their SMB vserver.


There are no problem activating it, and it writes to the log file.

But it´s not capturing the event the customer is after.


They want to see if anyone change permission on a folder.

Is that even possible?


As i understand it´s "4670: Permissions on an object were changed" that they need.


I have read tr-4189 and found the list of event IDs the controller is logging.
4670 is not avaialable... but 4663 is and it captures "Read/Write Object Get/Set Object attributes"


Should the "change permission" be available in that eventID, or is it impossible to audit folder permission changes on a NetApp vserver?


(Running cDOT 8.3.1)