updated images for FSAA Applet settings and SPN Mapping. Added spnmap…

[brandonwest-netwrix]

updated images for FSAA Applet settings and SPN Mapping. Added spnmapping.md to explain how to use SPN Mapping.

[github-actions]

⚠️ Broken Anchor Links

1 broken anchor link(s) found — these will cause the build to fail.

  docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md:134
    - [Enable SPN Mapping](docs/accessanalyzer/12.0/admin/datacollector/fsaa/spnmapping.md) - Netwrix Access Analyzer authenticates to each applet host using Kerberos with an automatically generated Service Principal Name (SPN). In environments where the applet host sits behind a proxy — or where applet services run under accounts whose SPNs don't match the default pattern — this automatic SPN will not exist in Active Directory and certificate exchange with the applet will fail.
    docs/accessanalyzer/12.0/admin/datacollector/fsaa/docs/accessanalyzer/12.0/admin/datacollector/fsaa/spnmapping.md not found

Auto-Fix Summary

40 issues fixed, 5 skipped across 3 files

Category	Fixes
Contractions	7
Plurals	4
Substitutions	4
AllowsYouTo (rewrite)	1
Contractions (rewrite)	1
Dale: passive-voice	18
Dale: positional-references	2
Dale: undefined-acronyms	3

Skipped (needs manual review)	Reason

| docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md:28 — Dale: undefined-acronyms | FSAA expansion is inconsistent across the project (appears as 'File System Access Auditing', 'File System Access Auditor', and 'File System Access Analyzer' in other docs); not confident which is canonical |
| docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md:86 — Dale: passive-voice | 'before it gets pushed into the job engine queue' — rewriting introduces ambiguity about which component pushes the host |
| docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md:92 — Dale: passive-voice | 'If a communication timeout is reached' — describes a triggering event/state, active rewrite would be unclear about the subject |
| docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md:98 — Dale: passive-voice | 'the remote scan is either automatically suspended or canceled' — describes job behavior that depends on multiple option states; rewriting could obscure the conditional logic |
| docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md:81 — Dale: wordiness | 'This option dictates a set limit to the number of simultaneous scans allowed to run on a proxy host regardless of max threads set on the job' is wordy but tightening risks losing the specific technical meaning |

Ask @claude on this PR if you'd like an explanation of any fix.

[github-actions]

Auto-Fix Summary

5 issues fixed, 5 skipped across 3 files

Category	Fixes
Contractions	1
Dale: passive-voice	4

Skipped (needs manual review)	Reason

| docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md:28 — Dale: undefined-acronyms | FSAA appears throughout body prose without an explicit definition, but the canonical expansion is ambiguous from the surrounding text (the doc references 'File System Access/Permission Auditing Scan'); adding an unverified expansion could introduce an inaccuracy. |
| docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md:38 — Dale: passive-voice | null |
| docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md:92 — Dale: passive-voice | 'after the timeout value has been exceeded' — active alternatives ('after the timeout expires', 'after exceeding the timeout') change the technical meaning. |
| docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md:105 — Dale: passive-voice | 'the scan is suspended after the communication timeout value has been exceeded' — conversion would require introducing actor and changing temporal phrasing. |
| docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md:18 — Dale: wordiness | 'options associated with the scan mode to be used' is slightly wordy, but removing 'to be used' loses specificity about the chosen scan mode. |

Ask @claude on this PR if you'd like an explanation of any fix.

[github-actions]

Auto-Fix Summary

7 issues fixed, 11 skipped across 3 files

Category	Fixes
Dale: passive-voice	6
Dale: undefined-acronyms	1

Skipped (needs manual review)	Reason

| docs/accessanalyzer/11.6/admin/datacollector/fsaa/spnmapping.md:20 — Dale: passive-voice | 'Verify the SPN is registered in Active Directory' — actor ambiguous (AD admin vs. system); rewrite risks changing meaning |
| docs/accessanalyzer/11.6/admin/datacollector/fsaa/spnmapping.md:85 — Dale: passive-voice | 'Verify the SPN is registered in AD' in troubleshooting table — same ambiguity as line 20 |
| docs/accessanalyzer/12.0/admin/datacollector/fsaa/spnmapping.md:20 — Dale: passive-voice | 'Verify the SPN is registered in Active Directory' — actor ambiguous (AD admin vs. system); rewrite risks changing meaning |
| docs/accessanalyzer/12.0/admin/datacollector/fsaa/spnmapping.md:85 — Dale: passive-voice | 'Verify the SPN is registered in AD' in troubleshooting table — same ambiguity as line 20 |
| docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md:82 — Dale: passive-voice | 'scans allowed to run' and 'max threads set on the job' are reduced participles serving as adjectives in a UI-describing bullet; rewriting changes sentence structure significantly |
| docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md:86 — Dale: passive-voice | 'the value set in the query configuration' and 'the job is configured with 20 threads' — describing UI configuration state; rewrite would distort the example |
| docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md:92 — Dale: passive-voice | 'after the timeout value has been exceeded' — 'exceeded' and 'expires' carry slightly different semantics for a threshold value; ambiguous |
| docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md:93 — Dale: passive-voice | 'a communication timeout is reached' / 'option is unchecked' — describing UI/state events; clean active rewrite requires re-wording the conditional |
| docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md:102 — Dale: passive-voice | 'are both set to zero or unchecked' describes UI checkbox state; passive is standard for state descriptions |
| docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md:105 — Dale: passive-voice | 'the scan is suspended after the communication timeout value has been exceeded' — both passive clauses; safe active rewrite ('Access Analyzer suspends the scan after the timeout expires') alters the semantic of 'exceeded' vs 'expires' |
| docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md:117 — Dale: spelling (out of scope) | Typo 'FSSA' should be 'FSAA' but Dale rules don't cover spelling |

Ask @claude on this PR if you'd like an explanation of any fix.

[brandonwest-netwrix]

@claude fix all issues

[github-actions]

Fix complete:

• Fix broken anchor link in docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md (already corrected in an earlier commit — the link uses an absolute path)
• Apply editorial fixes to docs/accessanalyzer/11.6/admin/datacollector/fsaa/spnmapping.md
• Apply editorial fixes to docs/accessanalyzer/12.0/admin/datacollector/fsaa/spnmapping.md
• Apply editorial fixes to docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md
• Add cross-link bullet to docs/accessanalyzer/11.6/admin/datacollector/fsaa/appletsettings.md
• Commit and push

Summary

• docs/accessanalyzer/11.6/admin/datacollector/fsaa/spnmapping.md and docs/accessanalyzer/12.0/admin/datacollector/fsaa/spnmapping.md (identical edits to both versions):

  • Reordered top-level sections so ## Query requirements now appears as reference material before ## Configure the mapping, instead of being indented inside step 6 of the procedure.
  • Renamed ## When to use this → ## When to use SPN mapping.
  • Spelled out FQDN on first use: "the DNS-resolved fully qualified domain name (FQDN)".
  • Added a sentence after the setspn -Q <spn> example explaining how to read the result (registered account vs. No such SPN found).
  • Added a sentence in step 2 of Before you begin clarifying that the mapping table must live in a database reachable by the scan's SQL connection profile and that the account needs SELECT permission.
  • Added a lead-in caption ("The query results pane shows the host and SPN columns returned by your query:") and a blank line before the query-result screenshot.
  • Capitalized "Ensure" and lowercased "BOTH COLUMNS" → "both columns" in the troubleshooting table.
  • Split the final Host name format bullet into two sentences and ended it with a period.

• docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md:

  • Spelled out Service Principal Name (SPN) on first use in the new Enable SPN Mapping bullet.
  • Rewrote the proxy-affinity-unchecked bullet to drop the duplicated product name and tighten the clause.

• docs/accessanalyzer/11.6/admin/datacollector/fsaa/appletsettings.md:

  • Added the Enable SPN Mapping bullet (mirroring 12.0) so the new SPN mapping topic is discoverable from the parent procedure in both versions.

Not changed — needs your call

The reviewer flagged that the Enable SPN Mapping bullet sits inside Certificate Exchange Options, but SPN mapping is a Kerberos authentication concern. If the product UI groups SPN Mapping with the certificate-exchange options, the placement is correct; if the UI places it elsewhere, the bullet should move to match. I left the bullet where you put it. Reply with @claude if you want me to either (a) move the bullet to a new section, or (b) add a short framing sentence at the top of Certificate Exchange Options explaining that the section also covers authentication-related settings.

[github-actions]

Auto-Fix Summary

40 issues fixed, 7 skipped across 4 files

Category	Fixes
Contractions	8
Plurals	4
Substitutions	2
AllowsYouTo (rewrite)	1
Contractions (rewrite)	1
Dale: passive-voice	20
Dale: positional-references	2
Dale: undefined-acronyms	1
Dale: wordiness	1

Skipped (needs manual review)	Reason

| docs/accessanalyzer/11.6/admin/datacollector/fsaa/appletsettings.md:115 — Dale: passive-voice | Sentence 'Certificate exchange is handled automatically by the FSAA Data Collector' uses a non-breaking space character between 'FSAA' and 'Data Collector' that prevented the Edit tool from matching the string. The 12.0 equivalent has been rewritten to active voice; this 11.6 instance remains. |
| docs/accessanalyzer/11.6/admin/datacollector/fsaa/appletsettings.md:91 — Dale: passive-voice | 'after the timeout value has been exceeded' is passive but rewording (e.g., 'after exceeding the timeout value') would alter the implied actor; the same phrasing is used in the cleaned-up 12.0 version, so it is treated as accepted style. |
| docs/accessanalyzer/11.6/admin/datacollector/fsaa/appletsettings.md:104 — Dale: passive-voice | 'the scan is suspended after the communication timeout value has been exceeded' — same phrasing retained in 12.0, treated as accepted style for describing system-driven state changes. |
| docs/accessanalyzer/11.6/admin/datacollector/fsaa/appletsettings.md:106 — Dale: passive-voice | 'When checked, this option will timeout the applet if there is an attempt to pause the scan' — 'When checked' is a common UI-state shorthand kept in 12.0; rewording 'there is an attempt to pause' would change meaning (the actor is ambiguous in the source). |
| docs/accessanalyzer/11.6/admin/datacollector/fsaa/appletsettings.md:117 — Dale: passive-voice | 'expect all certificates to be valid and in their respective stores beforehand' — 'to be valid' describes a state rather than an action; rewording risks shifting meaning. |
| docs/accessanalyzer/11.6/admin/datacollector/fsaa/spnmapping.md:45 — Dale: passive-voice | 'if the execution host is configured using a fully qualified domain name (FQDN)' — 'is configured' describes existing system state; rewriting to active voice (e.g., 'if you configured the execution host…') would imply the reader did the configuration, which may not be true. |
| docs/accessanalyzer/12.0/admin/datacollector/fsaa/spnmapping.md:45 — Dale: passive-voice | Same phrasing as the 11.6 file; rewriting risks changing implied actor. |

Ask @claude on this PR if you'd like an explanation of any fix.

[github-actions]

Documentation PR Review

Editorial Review

docs/accessanalyzer/11.6/admin/datacollector/fsaa/appletsettings.md

• Clarity — Line 9: "The Applet Settings page is where you configure the Applet Launch Mechanism and Applet Settings." repeats "Applet Settings" twice in the same sentence, creating a tautology (the Applet Settings page configures Applet Settings). Suggested fix: "On the Applet Settings page, configure the Applet Launch Mechanism and the applet behavior options for the scan." — or distinguish the section name from the page name more explicitly.
• Completeness — Line 128: "Provide Certificate Authority – Enables the Select button to upload an existing certificate" reads as if the button itself uploads (rather than enabling an upload action). The parallel 12.0 file rewrote this as two sentences ("Enables the Select button. Use this button to upload an existing certificate."), which is clearer. Suggested fix: mirror the 12.0 phrasing so the two versions stay in sync.
• Consistency — Line 134: "when the automatically generated SPN is not valid" uses the uncontracted form, while the parallel 12.0 line uses "isn't valid". Per the project style guide, contractions are encouraged. Suggested fix: change to "isn't valid" to match 12.0 and the surrounding voice.
• Structure — Line 28 introduces "File System Access Audit (FSAA)" as an acronym expansion deep inside a bullet, but "FSAA" already appears in the page title, the H1, and elsewhere on the page (e.g., "FSAA Data Collector"). The 12.0 file moves the expansion up to the opening paragraph. Suggested fix: either expand FSAA on first body mention (around line 7–9 in this file) to match the 12.0 ordering, or omit the expansion here since it's already established in the title.

docs/accessanalyzer/11.6/admin/datacollector/fsaa/spnmapping.md

• Structure — The title in frontmatter ("Configuring Custom SPN Mapping for Applet Hosts") doesn't match the link text used by appletsettings.md ("FSAA: SPN Mapping"), and it diverges from the 12.0 file's frontmatter title ("FSAA: SPN Mapping"). The link text, the sidebar entry, and the page title should agree so readers don't see one label in the sidebar/cross-reference and a different one when they land. Suggested fix: align the 11.6 and 12.0 frontmatter title values — either both "FSAA: SPN Mapping" (matching the cross-reference) or both "Configuring Custom SPN Mapping for Applet Hosts" (and update the cross-reference link text in appletsettings.md accordingly).
• Completeness — Line 43: "The @host parameter is available if you want to filter by scan target, but it's optional" — this is the first mention of @host, and a reader scanning "Query requirements" before reaching step 5 won't know where @host comes from. Suggested fix: add a short clause defining it on first mention, e.g., "The @host parameter — supplied automatically by Access Analyzer with the current scan target — is available if you want to filter…".
• Clarity — Line 13: "Use custom SPN mapping to tell the scan which SPN to use when connecting to each applet host." mildly anthropomorphizes "the scan" and repeats "use" twice. Suggested fix: "Use custom SPN mapping to specify which SPN Access Analyzer should present when it connects to each applet host."
• Clarity — Line 21: the setspn -Q <spn> example uses a fenced code block with no language identifier, so it renders without syntax highlighting. Other code blocks on this page use sql. Suggested fix: tag it as powershell (or ```cmd) so it renders consistently with the rest of the page.
• Consistency — Line 11 ("this automatic SPN will not exist") and line 78 ("Access Analyzer will use the SPN") use uncontracted future-tense forms where the style guide encourages contractions. Suggested fix: "won't exist" and consider present tense where appropriate ("Access Analyzer uses the SPN…") to match the procedural tone used elsewhere.

docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md

• Clarity — Line 9: "The Applet Settings page is where you configure the File System Access Audit (FSAA) Applet Launch Mechanism and Applet Settings." Inserting "File System Access Audit (FSAA)" directly in front of "Applet Launch Mechanism" makes it look like the UI section is labeled "FSAA Applet Launch Mechanism", but the actual section heading on the page (line 25) and on the screen is just "Applet Launch Mechanism". The sentence also still contains the page-name/section-name tautology ("Applet Settings page… Applet Settings"). Suggested fix: separate the acronym definition from the UI label, e.g., "The Applet Settings page configures how the File System Access Audit (FSAA) applet is launched and how it behaves during a scan. It is a wizard page for the categories of:" — then keep the UI section labels ("Applet Launch Mechanism", "Applet Settings section") unmodified in the body that follows.
• Clarity — Line 133: "Enable SPN mapping – Provide a custom Service Principal Name (SPN) per applet host when the automatically generated SPN isn't valid (for example, when the applet host sits behind a proxy)." The phrase "per applet host" reads awkwardly as a noun-modifier. Suggested fix: "Enable SPN mapping – Provide a custom Service Principal Name (SPN) for each applet host whose automatically generated SPN isn't valid (for example, when the applet host is behind a proxy)."

docs/accessanalyzer/12.0/admin/datacollector/fsaa/spnmapping.md

• Structure — The frontmatter title is "FSAA: SPN Mapping" but the H1 (line 7) is "Configuring Custom SPN Mapping for Applet Hosts". These should agree — the title drives the browser tab and sidebar entry, while the H1 is what the reader sees on the page. The mismatch will be confusing. Suggested fix: pick one form and use it for both title and H1 (the cross-reference in appletsettings.md uses "FSAA: SPN Mapping", so aligning everything on that string is the lowest-effort fix).
• Completeness — Line 43: same as 11.6 — @host is referenced under "Query requirements" before it is defined. Suggested fix: add a one-clause definition on first mention so the reader doesn't have to jump ahead to step 5 to understand where @host comes from.
• Clarity — Line 13: same anthropomorphism as 11.6 ("tell the scan"). Suggested fix: rephrase to "specify which SPN Access Analyzer should present" — and keep the two version files in lockstep.
• Clarity — Line 21: same missing language tag on the setspn code block as in 11.6. Suggested fix: add ```powershell.
• Consistency — Lines 11 and 78: same "will not" / "will use" wording as 11.6. Suggested fix: apply the same contraction/tense changes here to keep the two versions identical.

Summary

13 editorial suggestions across 4 files, with most issues mirrored between the 11.6 and 12.0 versions. The two main themes are (1) the frontmatter title vs. H1 vs. cross-reference text for the new SPN mapping page is inconsistent, and (2) the @host parameter is referenced before it's defined. The two version pairs have also drifted slightly in wording (contractions, the "Provide Certificate Authority" sentence) — worth a quick pass to bring them back into sync. Vale and Dale issues are auto-fixed separately.

---

What to do next:

Comment @claude on this PR followed by your instructions to get help:

• @claude fix all issues — fix all editorial issues
• @claude help improve the flow of this document — get writing assistance
• @claude explain the voice issues — understand why something was flagged

You can ask Claude anything about the review or about Netwrix writing standards.

Automated fixes are only available for branches in this repository, not forks.

[github-actions]

Auto-Fix Summary

4 issues fixed, 6 skipped across 4 files

Category	Fixes
Contractions	1
Dale: passive-voice	3

Skipped (needs manual review)	Reason

| docs/accessanalyzer/11.6/admin/datacollector/fsaa/appletsettings.md:91 — Dale: passive-voice | 'after the timeout value has been exceeded' is passive but rewriting to active voice would change the implicit subject and risk altering meaning. |
| docs/accessanalyzer/11.6/admin/datacollector/fsaa/appletsettings.md:104 — Dale: passive-voice | 'the scan is suspended after the communication timeout value has been exceeded' contains multiple passive clauses tied to system state; rewriting risks changing the agent/meaning. |
| docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md:90 — Dale: passive-voice | Same 'after the timeout value has been exceeded' construction as 11.6 — preserved to avoid meaning shift. |
| docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md:103 — Dale: passive-voice | Same passive 'scan is suspended after the communication timeout value has been exceeded' as 11.6 — preserved to avoid meaning shift. |
| docs/accessanalyzer/11.6/admin/datacollector/fsaa/spnmapping.md:19 — Dale: passive-voice | 'Verify the SPN is registered in Active Directory' uses 'is registered' as a state-of-being check; rewording would obscure the verification intent. |
| docs/accessanalyzer/12.0/admin/datacollector/fsaa/spnmapping.md:19 — Dale: passive-voice | Same state-of-being 'is registered' construction as 11.6 — preserved. |

Ask @claude on this PR if you'd like an explanation of any fix.