Some applications manage a pool of database connections. In such three-tier
architectures the pooled connections all log into a database using a single
functional ID, and then manage all application users internally – when
a user session needs access to the database it acquires a connection from
the pool, uses it and then releases it back to the pool. When this happens,
Guardium can see how the application
interacts with the database, but it cannot attribute specific database
actions to specific application users. For some widely used applications,
Guardium has built-in support for identifying the end-user information
from the application, and thus can relate database activity to the application
end-users.
To use this facility, follow the procedure outlined below:
Define an Application User Translation configuration
for the application. See Configure
Application User Detection, below.
Populate any pre-defined groups required for that application.
See Populate
Pre-Defined Application Groups.
Regenerate any portlets for special reports for that
application, and place the portlets on a page. See Regenerate
Special Application Report Portlets.
Selective Audit Trail and Application User Translation
If the installed data access policy uses the selective audit trail feature
to limit the amount of data logged, there are two important considerations
that apply to application user translation:
The policy will ignore all of the traffic that does
not fit the application user translation rule (for example, not from the
application server).
Only the SQL that matches the pattern for that security
policy will be available for the special application user translation
reports.
Select Administration Console > Application User
Translation.
Click the (Add) button to expand the Add App User Translation
panel.
In the Application
Code box, enter a unique code to identify the application.
Note:
Under Central Management, you must use different application codes on
different managed machines. This prevents aliases generated for the users
from conflicting with each other. (Under Central Management, there is
one set of aliases that is shared by all managed units.)
From the Application
Type list, select the application type:
In the Application
Version box, enter the application version number (11, for example).
From the Application
Server Type list, select the application server type. Only the
server types available for the selected Application Type and Version (see
above) will be displayed.
In the Server IP
box, enter the IP address the application uses to connect to the database.
In the Port
box, enter the port number the application uses to connect to the database.
In the Instance Name
box, enter the instance name the application uses to connect to the database.
In the DB Name
box, enter the database name for the application. (Required for some applications,
not used for others.)
Mark the Active
box to enable user translation. (Nothing will be translated until after
the first import of user definitions – see below).
Enter a User Name
for Guardium to use when accessing the database.
Enter a Password
for Guardium to use when accessing the database.
Mark the Responsibility
box if you want to associate responsibilities (Administration, for example)
with user names. Or clear the Responsibility box to just record user names.
When the box is cleared, all activities performed by a user will be grouped
together, regardless of the responsibility at the time the activity occurred.
Click the Add
button to save the Application User Translation definition.
Click Run Once Now
to import the user definitions for this application (and any others defined).
Later, after verifying that the data import operation worked successfully,
return to this panel and click the Modify
Schedule button to define an import operation to run on a regular
basis. You should schedule the importing of user definition data at whatever
interval is suitable for your environment. The maximum time that a new
application user name will not be available will the time between executions
of the import operation. For instructions on how to use the scheduler,
see Scheduling, in the Common Tools book.
From the Administration Console, select the Inspection
Engines, and click Restart Inspection
Engines in the Inspection Engine Configuration panel.
Back
to top
When Application User Translation has been configured, you must populate
at least two pre-defined groups with information that will be specific
to your environment. The table below identifies the groups that must be
populated for each application type. For instructions on how to populate
a group, see Groups in the Common Tools
book.
|
Application |
Pre-Defined Group |
Group Type |
|
EBS |
EBS App Servers
EBS DB Servers |
Client IP
Server IP |
|
ICM |
ICM App Servers
ICM DB Servers |
Client IP
Server IP |
|
PeopleSoft |
PSFT App Servers
PSFT DB Servers
PeopleSoft Objects |
Client IP
Server IP
Objects |
|
Siebel |
SIEBEL App Servers
SIEBEL DB Servers |
Client IP
Server IP |
|
SAP |
SAP App Servers
SAP DB Servers
SAP - PCI |
Client IP
Server IP
Objects |
For some application types, one or more special report portlets must
be regenerated. For example, there are two pre-defined EBS reports, and
two pre-defined PeopleSoft reports. These reports cannot be modified.
After populating the pre-defined application groups, as described above,
follow the procedure outlined below to regenerate the predefined application
portlets and place them on a page.
The examples in this section are for the EBS portlets, but the procedure
is identical for other application types.
Do one of the following to open the Report Finder:
Click the Search
button to open the Report Search Results panel.
Select a report portlet for the application type (EBS
Application Access, for example, and click the Regenerate
Portlet button. You will be informed that the portlet has been
regenerated
Repeat the above step for each application report (EBS
Processes Database Access, or the PSFT Processes Database Access report,
for example).
Now add a tab to your layout, and include the two regenerated portlets
on that tab.
Click the Customize
link at the top of the Guardium window, to open the Customize Pane (a
standard user tabbed pane layout is illustrated below and is used for
the remainder of this section).
Click the Add Pane
button to define a new tab.
Enter a name for the tab - EBS Reports, for example
- and click Apply. The new tab
appears as the last tab in the list.
Click on the new tab name to edit that pane.
Click the Add Portlet
button, and click the Next button
until you locate the reports you want (the EBS reports, for example),
and mark the checkbox beside each desired report
Click Apply, and then click Save and Apply to save the
new pane layout. The new tab will appear at the end of the first row of
tabs.
Click on the new tab name to open the tab.
Now click the 
customize button at the right side of the
portlet panel to set the run-time parameters (date range and Show Aliases,
for example). If you need help setting run-time parameters, see Reports
in the Common Tools