Identify Users via Application User Translation

Application User Translation Overview

Some applications manage a pool of database connections. In such three-tier architectures the pooled connections all log into a database using a single functional ID, and then manage all application users internally – when a user session needs access to the database it acquires a connection from the pool, uses it and then releases it back to the pool. When this happens, Guardium can see how the application interacts with the database, but it cannot attribute specific database actions to specific application users. For some widely used applications, Guardium has built-in support for identifying the end-user information from the application, and thus can relate database activity to the application end-users.

To use this facility, follow the procedure outlined below:

  1. Define an Application User Translation configuration for the application. See Configure Application User Detection, below.

  2. Populate any pre-defined groups required for that application. See Populate Pre-Defined Application Groups.

  3. Regenerate any portlets for special reports for that application, and place the portlets on a page. See Regenerate Special Application Report Portlets.

Selective Audit Trail and Application User Translation

If the installed data access policy uses the selective audit trail feature to limit the amount of data logged, there are two important considerations that apply to application user translation:

Configure Application User Detection

  1. Select Administration Console > Application User Translation.

  2. Click the   (Add) button to expand the Add App User Translation panel.

  3. In the Application Code box, enter a unique code to identify the application.

  4. From the Application Type list, select the application type:

  5. In the Application Version box, enter the application version number (11, for example).

  6. From the Application Server Type list, select the application server type. Only the server types available for the selected Application Type and Version (see above) will be displayed.

  7. In the Server IP box, enter the IP address the application uses to connect to the database.

  8. In the Port box, enter the port number the application uses to connect to the database.

  9. In the Instance Name box, enter the instance name the application uses to connect to the database.

  10. In the DB Name box, enter the database name for the application. (Required for some applications, not used for others.)

  11. Mark the Active box to enable user translation. (Nothing will be translated until after the first import of user definitions – see below).

  12. Enter a User Name for Guardium to use when accessing the database.

  13. Enter a Password for Guardium to use when accessing the database.

  14. Mark the Responsibility box if you want to associate responsibilities (Administration, for example) with user names. Or clear the Responsibility box to just record user names. When the box is cleared, all activities performed by a user will be grouped together, regardless of the responsibility at the time the activity occurred.

  15. Click the Add button to save the Application User Translation definition.

  16. Click Run Once Now to import the user definitions for this application (and any others defined).

    Later, after verifying that the data import operation worked successfully, return to this panel and click the Modify Schedule button to define an import operation to run on a regular basis. You should schedule the importing of user definition data at whatever interval is suitable for your environment. The maximum time that a new application user name will not be available will the time between executions of the import operation. For instructions on how to use the scheduler, see Scheduling, in the Common Tools book.

  17. From the Administration Console, select the Inspection Engines, and click Restart Inspection Engines in the Inspection Engine Configuration panel.

  18. Back to top

Populate Pre-Defined Application Groups

When Application User Translation has been configured, you must populate at least two pre-defined groups with information that will be specific to your environment. The table below identifies the groups that must be populated for each application type. For instructions on how to populate a group, see Groups in the Common Tools book.

Application

Pre-Defined Group

Group Type

EBS

EBS App Servers

EBS DB Servers

Client IP

Server IP

ICM

ICM App Servers

ICM DB Servers

Client IP

Server IP

PeopleSoft

PSFT App Servers

PSFT DB Servers

PeopleSoft Objects

Client IP

Server IP

Objects

Siebel

SIEBEL App Servers

SIEBEL DB Servers

Client IP

Server IP

SAP

SAP App Servers

SAP DB Servers

SAP - PCI

Client IP

Server IP

Objects

Regenerate Special Application Report Portlets

For some application types, one or more special report portlets must be regenerated. For example, there are two pre-defined EBS reports, and two pre-defined PeopleSoft reports. These reports cannot be modified. After populating the pre-defined application groups, as described above, follow the procedure outlined below to regenerate the predefined application portlets and place them on a page.

The examples in this section are for the EBS portlets, but the procedure is identical for other application types.

  1. Do one of the following to open the Report Finder:

  2. Click the Search button to open the Report Search Results panel.

  3. Select a report portlet for the application type (EBS Application Access, for example, and click the Regenerate Portlet button. You will be informed that the portlet has been regenerated

  4. Repeat the above step for each application report (EBS Processes Database Access, or the PSFT Processes Database Access report, for example).

    Now add a tab to your layout, and include the two regenerated portlets on that tab.

  5. Click the Customize link at the top of the Guardium window, to open the Customize Pane (a standard user tabbed pane layout is illustrated below and is used for the remainder of this section).

  6. Click the Add Pane button to define a new tab.

  7. Enter a name for the tab - EBS Reports, for example - and click Apply. The new tab appears as the last tab in the list.

  8. Click on the new tab name to edit that pane.

  9. Click the Add Portlet button, and click the Next button until you locate the reports you want (the EBS reports, for example), and mark the checkbox beside each desired report

  10. Click Apply, and then click Save and Apply to save the new pane layout. The new tab will appear at the end of the first row of tabs.

  11. Click on the new tab name to open the tab.

  12. Now click the customize button at the right side of the portlet panel to set the run-time parameters (date range and Show Aliases, for example). If you need help setting run-time parameters, see Reports in the Common Tools