Data access by applications and tools can be categorized according to many dimensions, including what data is being accessed, how it is being accessed, how many SQL calls are being made, etc. In an enterprise environment, it is very important to get a good handle on database access. This requirement can stem from the need to understand and secure access to the database due to compliance initiatives and even due to the need to tune and optimize your database environment. Because there can be many databases and a very large number of database clients in enterprise environments, getting a handle on the data access paths can be hard to do.
Access maps provide a convenient way to create a mapping of data access – showing access paths between database clients and database servers. This view is displayed in as a visual map that shows all access paths derived from a set of criteria that you define. Criteria can be set based on any combination including server type or location on the network (IPs and subnets). In addition, you can group access patterns together, since one of the main problems in reviewing access data is the detailed granularity. By grouping similar access paths, you are able to get a visual map, which can be meaningful in understanding your access environment. Using this visual depiction, you can then drill down and get further information on any one access path in the map.
Note: To view Access Maps from your browser, you need the Adobe SVG Viewer. See Software Downloads from Adobe.
To work with the Access Map Application, your Guardium user account must be assigned a security role that is also assigned to that application.
To open the Access Map application, do one of the following:
From an administrator portal: select Tools > Config & Control > Access Map Builder/Viewer.
From a user portal: select View > Access Map > Access Map builder.
Open the Access Map Application panel (see above):
Enter a unique name for the new map in the Enter a map name box. The appearance of the remaining panes in the Access Map Application panel changes depending on your selection in the menu on the left. When you first open the panel, the Filtering menu option is selected. Supply any filtering information, then proceed to the Grouping and Output options (described later).
In the Involving dates pane, enter the from and to dates to be included in the map, using the calendar or relative date picker tools.
Complete the Access involving the following Server IPs pane. Leave this pane blank to map the traffic to all database servers or use this pane to identify one or more specific servers or sets of servers. Enter an IP address in the first box and a subnet mask in the second box. Click plus button to add the IP address and mask to the map definition, or click the minus button to remove an entry.
Use the Access involving the following Client IPs pane to identify one or more clients, as described above for the servers.
Use the Access involving the following database types pane to identify which databases on the specified servers are to be mapped.
Select the Grouping button in the left pane of the panel to group the mapping. This opens three aggregation panels:
Use the Aggregate access based on pane to aggregate access, thereby simplifying the display produced. You can aggregate on both command or command subtype, and object or object subtype. For either type of aggregation, mark the appropriate checkbox and select the desired aggregation item.
Use the Server IP aggregation granularity pane to aggregate paths to all servers based on the octets comprising their IP addresses:
X.*.*.*: For mapping purposes, treat each server IP address beginning with the same first octet as a single endpoint.
X.Y.*.*: For mapping purposes, treat each server IP address beginning with the same first and second octets as a single endpoint.
X.Y.Z.*: For mapping purposes, treat each server IP address beginning with the same first, second, and third octets as a single endpoint.
Full IPs: For mapping purposes, treat each complete server IP address as a single endpoint. Be aware that this option aggregates multiple databases at the same IP address.
None: (Default) No path aggregation by server IP address.
Use the Client IP aggregation granularity pane to aggregate paths from all clients based on the octets comprising their IP addresses:
X.*.*.*: For mapping purposes, treat each client IP address beginning with the same first octet as a single endpoint.
X.Y.*.*: For mapping purposes, treat each client IP address beginning with the same first and second octets as a single endpoint.
X.Y.Z.*: For mapping purposes, treat each client IP address beginning with the same first, second, and third octets as a single endpoint.
Full IPs: For mapping purposes, treat each complete client IP address as a single endpoint. Be aware that this option aggregates multiple databases at the same IP address.
None: (Default) No path aggregation by client IP address.
Click the Output button in the left pane of the panel to control how the map displays. This opens the Generated output type for access map pane.
Select one of the following options:
Generate Interactive Map produces a map you can view online and drill down on for more detail (described in more detail below).
Generate PDF produces a printable version of the map in PDF (Portable Document File) format. You need Adobe Acrobat Reader to view PDF files. See Software Downloads from Adobe.
Note: If you save a PDF version of a map on your system and you reopen it later using Adobe Acrobat, you are not able to drill down on the map using any of the hyperlinks.
Mark the Base access map on aliases checkbox to use aliases on the map display.
Click the Save and View button at the top of the panel to save and view the map. Following a short delay, the requested map displays in the Access Map Application panel. If you selected the PDF output format, the Adobe Acrobat PDF Viewer opens in this panel. For information about how to view the map output, see the following topic: Viewing Access Maps.
Click the View button. Use the Click here to open access map in another window link to open a map in a separate Access Map window. A map is easier to view and manipulate in a separate window.
The map legend displays at the bottom of the map. The legend that displays on your map will vary depending on its contents. The symbols are self-explanatory.
Open the Access Map Application panel (see above).
From the drop-down list of maps, select the map you want to modify.
Click the Load button to load the map definition.
Make changes to the map definition (see Create an Access Map, above).
Click the Modify button.
Open the Access Map Application panel (see above).
From the drop-down list of maps, select the map you want to remove.
Click the Remove button. You are prompted to confirm the action.