Do one of the following to open the Classification Policy
Finder:
Click New to
open the Classification Policy Definition panel.
Enter a unique name in the Name
box.
Enter a category in the Category
box, and a classification in the Classification
box. Both are required. Both are used to group and organize data on reports.
Optionally enter a Description.
Click Save.
Optionally enter comments. (These can be entered at
any time after the policy has been saved.) See Comments.
Click Edit Rules
to define rules (and their associated actions). See Define
Classification Policy Rules, below, for detailed instructions.
Do one of the following to open the Classification Policy
Finder:
Select the classification policy to be modified, and
do one of the following:
Type over any of the items in the top portion of the
panel, as appropriate.
To modify policy rules, click Edit
Rules and see Define Classification Policy Rules, below.
Click Save to
save any changes, and click Done
when you are finished.
Do one of the following to open the Classification Policy
Finder:
Select the classification policy to be cloned, and click
the Clone button.
Type over any of the items in the top portion of the
panel, as appropriate for the cloned policy. We recommend that you replace
the default name for the clone, which is the name of the selected policy
prefixed with Copy of.
Click the Save Clone
button to save the new classification policy. The policy will be re-displayed
in the Classification Policy Definition panel.
See Modify
a Classification Policy, above, for instructions on how to change
components of the new classification policy definition.
If the Classification Policy Rules panel is not open:
Do one of
the following to open the Classification Policy Finder:
Select
the classification policy, and click the Edit
Rules button.
Use the Classification Policy Rules panel to view or
modify classification policy rules. The following table describes how
to use the controls on this panel. For a description of how to define
each type of classification policy rule, see one of the following topics:
Classification Policy Rules Panel Controls
|
Control |
Description |
|
Add Rule |
Click to add a rule. See Add
a New Classification Policy Rule, below. |
|
Remove Selected |
Click to remove the selected rule |
|
Expand All |
Click to expand the definitions of all rules |
|
Collapse All |
Click to collapse all expanded definition |
|
Select All |
Click to mark the Select checkboxes for all rules |
|
Unselect All |
Click to clear the Select checkboxes for all rules |
|
Rule Type:
Rule Name |
Each rule is labeled with a number, the rule type and rule name. For
example, the second rule above is labeled:
2. Search For Data: SSN Pattern |
|
or 
|
Click to expand or collapse the associated rule definition |
|
|
Mark to select the associated rule |
|
|
Click to edit the associated rule |
|
or 
|
Click to add a user comment to the rule definition. See Comments.
If the rule already contains comments, a slip of paper displays beneath
the push-pin as shown in the pushpin to the right. |
|
or 
|
Click to move the rule up or down in the list of rules. |
|
Cancel |
Click to close the panel without saving any changes since the last save. |
|
Done |
Click to close the panel without saving any changes since the last save. |
Click the Add Rule
button to open the Classification Rule definition panel.
Enter a Rule Name.
Optionally enter a new Category and/or Classification
for the rule. The defaults are taken from the Classification Policy Definition
for the policy.
If the next rule in the classification policy should
be evaluated after this rule is matched, mark the Continue
on Match checkbox. The default is to stop evaluating rules when
a rule is matched.
Select a Rule Type.
For a new rule, no Rule Type is selected. Once a Rule Type is selected,
the panel expands to include the fields needed to define that type of
rule. For the specifics of how to define each type of rule, click one
of the links below:
Click the New Action
button to add an action to be taken when this rule is matched. See Add
a Classification Rule Action.
7. Click Accept to add the rule
to the policy.
A catalog search rule searches
the database catalog for table and/or column names matching specified
patterns. Wildcards are allowed: % for zero to any number of characters,
or _ (underscore) for a single character.
In the Table Type
row, mark at least one type of table to be searched: Synonym, System Table,
Table, or View. (Table is selected by default.)
Optionally enter a specific name or a wildcard based
pattern in the Table Name Like
box. If omitted, all table names will be selected.
Optionally enter a specific name or a wildcard based
pattern in the Column Name Like
box. If omitted, all column names will be selected.
Click the Accept button when you are done.
A search by permissions rule
searches the database catalog for various tables based on permissions
granted to users and/or roles.
In the Table Type
row, mark at least one type of table to be searched: Synonym, System Table,
Table, or View. (Table is selected by default.)
In the Users
row, optionally enter a specific user name and/or select a group of users.
If both are omitted, all users will be considered. If both are specified,
the user name will be merged with the group of user names. You can also
click the 
(Groups) button to open the Group Builder in a separate window,
to define a new group of users (which you can then select from the drop-down
list).
In the Roles
row, optionally enter a specific role name and/or select a group of roles.
If both are omitted, all roles will be considered. If both are specified,
the role name will be merged with the group of role names. You can also
click the (Groups) button to open the Group Builder
in a separate window, to define a new group of roles (which you can then
select from the drop-down list).
From the Grant Type
list, select one or more types of grants. Use the CTRL and SHIFT
keys for multiple selections.
Mark With Admin Option
checkbox to include only permissions that are granted with the admin option
(which allows that person to grant access).
Click the Accept
button.
A search for data rule searches
one or more columns for specific data values. Wildcards are allowed: %
for zero to any number of characters, or _ (underscore) for a single character.
In the Table Type
row, mark at least one type of table to be searched: Synonym, System Table,
Table, or View. (Table is selected by default.)
In the Table Name Like
row, optionally enter a specific name or a wildcard based pattern. If
omitted, all table names will be selected.
In the Data Type
row, select one or more data types to search.
Optionally enter a Minimum
Length. If omitted, no limit.
Optionally enter a Maximum
Length. If omitted, no limit.
In the Search Like
box, optionally enter a specific value or a wildcard based pattern. If
omitted, all values will be selected.
In the Search Expression
box, optionally enter a regular expression to define a pattern to be matched.
To test a regular expression, click the 
(Regex) button to open the Build Regular
Expression panel in a separate window. See Regular
Expressions in the Common Tools book for instructions.
In the Maximum Rows box, optionally enter a maximum
number of rows to sample, per table, when either Search Like or Search
Expression is used. Enter zero to scan the entire table, or leave this
value blank to use the system default of 1000 rows per table.
Click Accept
when you are done.
A Search for Unstructured Data
rule examines a non-database file.
In the Search Like
box, optionally enter a specific value or a wildcard based pattern. If
omitted, all values will be selected.
In the Search Expression
box, optionally enter a regular expression to define a pattern to be matched.
To test a regular expression, click the (Regex) button to open the Build Regular
Expression panel in a separate window. See Regular
Expressions in the Common Tools book for instructions.
Click Accept
when you are done.
After a rule has been saved, click the
(Customize) button for that rule to return to the rule definition panel,
from which you can add one or more rule actions.
Click the New Action
button to open the Action panel.
Enter an Action Name.
Optionally enter a Description.
Select an Action Type
from the list. Depending on the action selected, a different set of fields
will appear on the panel. For the Ignore and Log Result actions, no additional
information is needed. For all other actions (see below), additional fields
will appear on the panel, and you will have to enter additional information.
Ignore - Do
not log the match, and take no additional actions.
Log Result -
Log the match, and take no additional actions.
For all other actions, refer to the appropriate
topic below:
After actions have been added to the Classification
Rule panel, the controls in the table below can be used to modify the
actions defined.
Click Accept
when you are done working with the rule definition.
Classification Rule Actions Panel Controls
|
|
Click to edit the associated action definition |
|
|
Click to remove the action from the rule definition |
|
or |
Click to move the action up or down in the list of actions |
Each time the classification rule is matched, a member will be added
to the selected Object-Field group on the appliance. You have the option
of replacing all members, or adding new members.
For a database file, the object component of the member will be the
database table name, and the field component will be the column name.
For an unstructured data file, the object component of the member will
be the file name (in quotes), and the field component will be the column
name, but if column names cannot be determined, the columns will be named
column1, column2,
etc.
Do one of the following:
Select an Object-Field
Group from the list, or
Click the (Groups) button, define a new group using
the Group Builder (see Groups), and
then select that group from the list.
Optionally mark the Replace
Group Content box to completely replace the membership of the selected
group with members returned by this rule. By default, this box is not
marked, which means that new members will be added to the group, but no
members will be deleted. For a job that is run on demand, this box is
ignored, and you are given the opportunity to add or replace members on
the view results panel.
Click the Accept
button to add the action to the rule definition, close the Action panel,
and return to the rule definition panel.
Each time the classification rule is matched, a member will be added
to the selected Object group on the appliance.
For a database file type, the member will be the database table name.
For an unstructured file type, the member name will be the file name.
You have the option of replacing all entries, or only adding new entries.
Do one of the following:
Select an Object
Group from the list, or
Click the (Groups) button, define a new group using
the Group Builder (see Groups), and
then select that group from the list.
Optionally mark the Replace
Group Content box to completely replace the membership of the selected
group with members returned by this rule. By default, this box is not
marked, which means that new members will be added to the group, but no
members will be deleted. For a job that is run on demand, this box is
ignored, and you are given the opportunity to add or replace members on
the view results panel.
Click the Accept
button to add the action to the rule definition, close the Action panel,
and return to the rule definition panel.
Each time the classification rule is matched, an access rule will be
inserted into an existing security policy definition. The updated security
policy will not be installed (that task is performed separately, usually
by a Guardium administrator).
Select an Access Policy
from the list. You must be authorized to access that policy.
Enter a rule name in the Rule
Description box.
Select an action from the Access
Rule Action list. For a detailed description of Access Rule actions,
see Rule Actions in the
Policies topic.
Optionally select a Commands Group, or click the
(Groups) button, define a new Commands group using the Group Builder (see
Groups), and then select that Commands
group from the list.
To log field values separately, mark the Include
Field checkbox. Otherwise, only the table will be recorded (the
default).
To include the server IP address, mark the Include
Server IP checkbox.
If you have selected an alerting action, a Receiver
row appears on the panel, and you must add at least one receiver for the
alert. Click the Modify Receivers
button to add one or more receivers. (See Notifications
in the Common Tools book.)
Click the Accept
button to add the action to the rule definition, close the Action panel,
and return to the rule definition panel.
Each time the classification rule is matched, the selected privacy set's
object-field list will be replaced.
For a database file, the object component of the privacy set will be
the database table name, and the field component will be the column name.
For an unstructured data file, the object component of the privacy set
will be the file name (in quotes), and the field component will be the
column name, but if column names cannot be determined, the columns will
be named column1, column2,
etc.
Select the previously defined Privacy
Set whose contents you want to replace.
Click the Accept
button to add the action to the rule definition, close the Action panel,
and return to the rule definition panel.
Each time the classification rule is matched, a policy violation will
be logged. This means that classification policy violations will be logged
(and can be reported) together with access policy violations (and optionally
correlation alerts) that may have been produced.
Select a Severity
code from the list.
Click the Accept
button to add the action to the rule definition, close the Action panel,
and return to the rule definition panel.
Each time the classification rule is matched, an alert will be sent.
Select a Notification
Type code from the list.
Click the Modify Receivers
button to add one or more receivers. (See Notifications
in the Common Tools book.)
Click the Accept
button to add the action to the rule definition, close the Action panel,
and return to the rule definition panel.