It is often useful to group elements of the same type. Grouping can simplify the process of creating policy and query definitions. It can also make the presentation of information on reports more straightforward.
For example, assume that your company has 25 separate data objects containing sensitive employee information, and you need to report on all access to these items. You could formulate a very long query testing for each of the 25 items. Alternatively, you could define a single group called sensitive employee info, containing those 25 objects. That way, in queries or policy rule definitions, you only need to test if an object is a member of that group.
An additional benefit of groups is that they can ease maintenance requirements when the group’s composition changes. To continue the example, if your company decides that two more objects need to be added to the sensitive employee info group, you only need to update the group definition, and not all of the queries, reports, policies, etc. that reference the group.
Note: If a group used by the installed security policy changes, the security policy must be re-installed to pick up the changed group membership. This allows you to update a group without having an instantaneous effect on the installed security policy.
Groups are used by all subsystems, and all users share a single set of groups. You should, therefore, be very careful when making changes to or deleting groups, since you may inadvertently affect other users. A common best practice is to clone a group. Then make changes to it, tagging it with your name as part of the group’s name, to clarify that you own this group.
Some groups contain members that are composites of two other attributes, sometimes referred to as tuple. This simplifies the specification of conditions for reporting and policy rules. For example:
Command-Object groups can be used in reports and policies.
Object-Field groups can be used in reports and policies.
ClientIP-DBUser groups can be used in reports only.
Using the Group Builder, you can populate a group with members either by entering them one at a time manually, or automatically as follows:
By importing information from an LDAP server
By analyzing stored procedure definitions on a database server
By observing stored procedure definitions and calls in database traffic
By running a query on the data logged by Guardium or on a custom table
By cloning an existing group
By running a classification process
Once you have configured a group to be populated automatically using any of the above techniques, you can run the job on demand, or you can schedule it to run at a specific time or on a periodic basis. With any of the automatic group population mechanisms, members may be added to existing groups, but members will not be removed.
Regardless of how a group is populated, you can always edit the group membership manually.
In some cases you will want to define groups with overlapping membership. For example, two predefined groups: Create Commands and DDL Commands both have a member named CREATE TABLE. Since both groups contain a member with the same name, these groups are said to have overlapping membership. If you are querying for either one group or the other, all of the Create Table commands from the reporting period will be counted in that group (as expected). In contrast, if you run a report that does not select on a single command group, and on the Customize Portlet panel you select Commands from the GROUPING_SUB_TYPE list, each Create Table command from the reporting period will be counted in both groups, and perhaps other command groups as well.
In some cases you may want to define a set of groups such that each member belongs to only one group. These groups have exclusive membership. For example, suppose that for reporting purposes you need to group database users into one of two groups: Employees or Consultants. You would define each of those groups with the same sub-group type (Employee-Status, for example). When a sub-group type is specified, the system will not allow you to define a member with the same name that has already been defined in another group with the same sub-group type.
There are a number of groups predefined on Guardium appliance. For a list and description of these, see Predefined Groups in the Predefined Content appendix.
Members can include wildcard (%) characters for use when the group is used in a query condition or policy rule. See the examples in the table below.
|
Member |
Matches |
Does NOT Match |
|
aaa% |
aaa |
zzzaaa |
|
%bbb |
bbb,zzbbb |
bb |
|
%ccc% |
ccc |
cc |
There are several conditional operators that apply to groups. These operators are available whenever the attribute included in the condition may be a member of a group. Each conditional operator is described below:
IN GROUP - If the value matches any member of the selected group, the condition is true.
NOT IN GROUP - If the value does not match any member of the selected group, the condition is true.
IN DYNAMIC GROUP - If the value matches any member of a group that will named as a run-time parameter, the condition is true.
NOT IN DYNAMIC GROUP - If the value does not match any member of a group that will named as a run-time parameter, the condition is true.
LIKE GROUP -
If the value is like
any member of the selected group, the condition is true (see the note
below for the definition of "like"). This condition enables
wildcard (%) characters in the group member names.
Note: A like member
value uses one or more wildcard (%) characters, and matches all or part
of the value. For a like comparison,
alphabetic characters are not case sensitive. For example, %tea%
would match tea, TeA,
tEam, or steam.
In a policy rule, there are several ways groups can be used either alone or in combination to control when the rule is fired. Wherever a group can be selected, a new group can be defined (and then selected) by clicking the Group tool button.
Be aware that the members of the group may contain wildcard (%) characters, so that in the examples below where a group is selected, an individual member may match multiple values.
The examples below are for the DB User attribute, but apply to all attributes where the group may be selected.
Select a group from the group list box:
A single combined count of matches will be maintained for all members of the specified group. So if the rule is defined to fire after the third match in a specified timeframe, three different users or the same user could trigger the rule.
A single combined count of matches will be incremented each time that the
named DB User or any member of the selected group satisfies the rule.
This is similar to the above case in that a combined count is maintained.
Enter a dot (period) character in the text box, and select a group:
A separate count will be kept for every member of the selected group, and the rule will be triggered whenever the minimum count for the rule is met by an individual member.
When a USERS group is selected as a receiver in a workflow automation definition, every user of the group will receive a set of results. For any task within the process that is associated with specific users (either by using the special ./LoggedUser value as a run-time parameter or via a custom domain), that task will be run separately for each user of the group, so that each user will receive results for their account only.
Do one of the following:
Administrators: Click the Tools tab, click the Config & Control tab, and select Group Builder from the menu.
All Others:
Click the Monitor/Audit tab, click
Build Reports, and click the 
Group builder button in the lower
right portion of the panel.
From a rule builder panel, click the Group builder button beside any field that
allows groups.
The Group Builder opens two panels. Return to the topic list at the top of this help page, and select one of the modify or populate topics.
Open the Create New Group panel. (See Open the Group Builder, above.)
In the Group Description field, enter a unique description for the new group. Do not include apostrophe characters in this field.
Select a Group Type Description from the list.
If sub-types have been defined for the selected group type, an Existing Sub-types field appears in the panel.
Optionally, enter a Group Sub Type Description. A sub type is used to collect multiple groups of the same group type, where the membership of each group is exclusive. For example, assume that you have database servers located in three data centers, and that you want to group the servers by location. You would define a separate group of database servers for each location, and define all three groups with the same sub type.
Optionally, enter a Category, which is an optional label used to group items like policy violations or groups.
Optionally, enter a Classification,
which is another optional label used for policy violations and groups.
Note: Before clicking the Add
button to save the new group definition, be aware that you cannot change
any of the information entered on this panel. If you need to change anything
later, you will need to clone the group.
Click the Add button. This opens the Manage Members for Selected Group panel. See Manually Edit Group Membership, below, for a description of how to add, modify, and remove members of the group. Once you have added a group definition, you cannot change any of the settings on the Create New Group panel.
Open the Group Builder. (See Open the Group Builder, above.)
Select the group you want to modify.
Click the Modify button. This opens the Manage Members for selected Groups panel.
Do one of the following:
You can populate groups from an LDAP server. To do this, first define a group, and then configure an import operation to obtain the appropriate set of members from an LDAP server. You can run the import operation on demand, or schedule it to run at a specific time or on a periodic basis. When you run the import on demand, you are presented with the set of LDAP entries that satisfy your search criteria, and you must select which ones should be added to the group. When run on a scheduled basis, all entries returned by your search will be added to the group.
Note: An LDAP import operation adds members to a group. It does not delete members.
Note: Guardium administrators use a separate LDAP Import function to define Guardium users and roles from an LDAP server. See LDAP User Import.
To configure a group-member import from an LDAP server:
If the Group Builder is not open, see Open the Group Builder, above.
In the Modify Existing Groups panel, select the group to which you want to add members.
Click the LDAP button to open the Set Up LDAP Import panel.
In the LDAP Host Name box, enter the IP address or host name for the LDAP server to be accessed.
In the Port box, enter the port number for connecting to the LDAP server.
Select the LDAP server type from the Server Type list.
Mark the Use SSL Connection
checkbox if Guardium is to connect to your LDAP server using an SSL (secure
socket layer) connection.
Note: Consult with your LDAP administrator
regarding the setup within your LDAP infrastructure to determine the connection
method used in your environment.
In the Base DN box, specify the node in the tree at which to begin the search; for example a company tree might begin like this: DC=encore,DC=corp,DC=root
For Import Mode, select Add on to add, but not replace member information, or select Override to replace existing member information. Regardless of the selection, no members will be deleted.
In the Log In As box, enter the user account to use for the connection from the Guardium server.
In the Password box, enter the password for the above user.
In the Search Filter
box, optionally enter LDAP search criteria. Typically, imports will be
based on membership in an LDAP group, so the filter might use the memberOF keyword and look something
like this: memberOf=CN=syyTestGroup,DC=encore,DC=corp,DC=root
See your LDAP server documentation if you need help in this area.
For Search Filter Scope, select One-Level to apply the search to the base level only, or Sub-Tree to apply the search to levels beneath the base level.
In the Limit box, enter the maximum number of items to be returned. We recommend that you use this field to test new queries or modifications to existing queries, so that you do not inadvertently load an excessive number of members.
In the Attribute to Import box, enter the LDAP attribute to be used to populate the group member. The default is CN.
Click the Apply
or Update button to save the configuration.
(After you have saved the configuration once, the Apply button becomes
an Update button.)
Note: After saving an LDAP import
configuration, you can perform the following tasks, each of which is described
in a separate section. Because it is easy to miscode LDAP queries, we
suggest that you test each new or modified query by using the Limit
field (described above) and by running the query once on demand (see below),
to verify that the correct set of members is being returned.
Perform one of the following procedures:
When you run an LDAP import on demand, you have the opportunity to accept or reject each of the members returned by the query. This is especially useful for testing purposes.
If the Group Builder is not open, see Open the Group Builder, above.
In the Modify Existing Groups panel, select the group to which you want to add members.
Click the LDAP button to open the Set Up LDAP Import panel.
Click the Run Once Now button. (If you have made any changes, the button will be disabled until you have applied the changes.)
After the task completes, the set of members satisfying your selection criteria will be displayed in the LDAP Query Results panel.
Mark the items you want to add to the group, and click Import, or click Cancel to return without importing any members.
You can verify the group members by returning to the Modify Existing Groups panel, selecting the appropriate group from the list, and clicking Modify, or you can use a predefined report to list the group members. The latter approach provides more information, as it shows the timestamp when each member was added to the group. See Reports Showing Group Membership.
When you schedule an LDAP import to run at a specific time or on a periodic basis, all of the LDAP entries that satisfy your search criteria will be imported to the group. In contrast, when the query is run on demand (see the previous topic), you have the opportunity to accept or reject each entry returned from the LDAP server.
If the Group Builder is not open, see Open the Group Builder, above.
In the Modify Existing Groups panel, select the group for which you want to schedule an LDAP import task.
Click the LDAP button to open the Set Up LDAP Import panel.
Click the Modify Schedule button. (If you have made any changes to the LDAP import configuration for this group, the button will be disabled until you have applied the changes.)
For instructions on how to use the general-purpose
task scheduler, see Scheduling.
Once a schedule has been defined, a Pause
button appears on the Set Up LDAP Import panel. If you click that button,
the schedule is paused, and the Pause button is replaced by a Resume button.
Once a scheduled task has run, you can verify the group members by returning to the Modify Existing Groups panel, selecting the appropriate group from the list, and clicking Modify, or you can use a predefined report to list the group members. The latter approach provides more information, as it shows the timestamp when each member was added to the group. See Reports Showing Group Membership.
You can check a group's membership by opening it in the Modify Existing Groups pane of the Group Builder (as described above), but it can be difficult to view large groups that way, and you are limited to displaying one group at a time. Alternatively, you can use the predefined Guardium Group Details Report, which lists groups and members.
The predefined Guardium Group Details report is on the default administrator layout, on the Guardium Monitor tab, and it can be added to a user layout from the Custom Reporting tab (click Monitor/Audit, then Build Reports).
You can use the Group Description or Group Type run-time parameters to control what groups will be listed.
The Group Builder can automatically populate Command or Object groups by analyzing and extracting member names from stored procedures. It can do this in two ways:
By analyzing stored procedure source code. To use this method, Guardium must access the database on which the stored procedures have been defined, and the stored procedures must not be stored in encrypted format.
By analyzing stored procedures in database traffic that has been monitored and logged by Guardium. To use this method, the Guardium appliance must be inspecting the appropriate database streams, and logging the information (as opposed to – for example – using ignore session or skip logging actions), and the analysis task must run while the data is still on the unit (as opposed to – for example – after an archive/purge operation).
There are two groups involved when populating a group from stored procedures:
The receiving group is the one to which members will be added.
The starting group must be an existing Commands or Objects group. The members of the starting group will be used when examining stored procedures. If a member of the starting group is detected in a stored procedure, that stored procedure name will be added to the receiving group. The search-and-add process is recursive. For example, if the stored procedure named prox_one is added to the receiving group, and prox_one is referenced in prox_two, prox_two will also be added to the receiving group, and so forth.
To get started:
If the Group Builder is not open, see Open the Group Builder, above.
In the Modify Existing Groups panel, select the group, which must be either a Commands or Objects group.
Click the Auto Generated Calling Prox button, and you will be presented with two choices. Click one of the links below to continue with the appropriate procedure:
Using DB Sources - Populate the group by analyzing the stored procedure definitions from one or more databases.
Using Observed Procedures - Populate the group by analyzing the CREATE PROCEDURE and ALTER PROCEDURE commands as they are observed in the database traffic.
Guardium will analyze the stored procedure source code, on one or more database servers. To use this method:
You must know where the stored procedures of interest are defined.
The sources must not be stored in encrypted format.
You must have access to the stored procedure sources on those databases.
To populate a group using database sources:
On the Modify Existing Groups panel, select the starting group, click the Auto Generated Calling Prox button, and select the Using DB Sources option, as described above. This opens the Analyze Stored Procedures panel.
Click the Add Datasource button to open the Datasource Finder window. (See Datasources for detailed instructions on how to define and use datasources.)
Select a datasource from the list, and click the Add button. The selected datasource will appear in the Datasources pane of the Analyze Stored Procedures panel.
Use the Query Parameters (Optional) pane to restrict the operation, as described below. If a box is not available for the selected database type, it will not appear on the pane.
For Sybase, MS SQL Server, and Informix only. In the Database Name box, enter a database name to restrict the operation to that database. If left blank for a Sybase or MS SQL Server database, all stored procedures in the master database will be analyzed.
For MySQL, Oracle or DB2 only. In the Schema Owner box, enter a schema name to restrict the operation to databases owned by that schema. For MySQL only, the Schema Owner is in the form user_name@host, where host can be a specific IP or it can be a % to specify all hosts. So to get all hosts, enter the schema name followed by %.
For MySQL, Oracle or DB2 only. In the Object Name box, enter a stored procedure name, with wildcard characters if desired, to restrict the operation to a specific set of procedure names. For example, if only interested in the procedures beginning with the letters ABC, enter ABC% in the Object Name box.
In the Source Detail Configuration pane, mark the Flatten Namespace checkbox to create member names using wildcard characters, so that the group can be used for LIKE GROUP comparisons. For example, if sp_1, is discovered, the member %sp_1% will be added to the group, and in a LIKE GROUP comparison, the values sp_101, sp_102, sss_sp_103, etc. would all match.
Do one of the following:
Mark the Append box to add members to an existing group, and then select that group from the Existing Group Name list.
Enter a new group name in the New Group Name box. Do not include apostrophe characters in a group name.
Click the Analyze Database button. Because the operation may take an extended amount of time, you are prompted to continue. When the analyze database operation completes, you will be informed of the results.
Guardium will populate the group by inspecting all changes or additions to stored procedures. This keeps the mapping information up-to-date through continuous analysis of changes to stored procedures. Therefore, this function can be used to augment the static analysis described in the previous section.
To populate a group using observed procedures:
On the Modify Existing Groups panel, select the starting group, click the Auto Generated Calling Prox button, and select the Using Observed Procedures option, as described above. This opens the Analyze Observed Stored Procedures panel.
Multiple analysis operations can be defined and scheduled, with each previously defined configuration available for editing from the Source Details list. To edit an existing configuration, select it from the Source Details list.
In the Access Information pane, select all of the database servers to be analyzed. You can mark any combination of check-boxes.
In the Source Detail Configuration pane, mark the Flatten Namespace checkbox to create member names using wildcard characters, so that the group can be used for LIKE GROUP comparisons. For example, if sp_1, is discovered, the member %sp_1% will be added to the group, and in a LIKE GROUP comparison, the values sp_101, sp_102, sss_sp_103, etc. would all match.
Do one of the following:
Mark the Append box to add members to an existing group, and then select that group from the Existing Group Name list.
Enter a new group name in the New Group Name box. Do not include apostrophe characters in a group name.
Click the Save button to save the configuration.
Click Run Once Now to run the query immediately, or click the Modify Schedule button (see Scheduling) to define a schedule for the operation. If you run the task immediately, you will be informed of the results.
This method of populating groups is most useful after the external data connector has uploaded a custom table has been to the Guardium appliance.
If the Group Builder is not open, see Open the Group Builder, above.
In the Modify Existing Groups panel, select the group to which you want to add members.
Click the Populate From Query button to open the Populate Group From Query Set Up panel. Initially, only the Query list box displays in the Set Up Query To Run pane.
From the Query list, select the query to be run. Depending on the type of group being populated, either one or two additional list boxes will appear in the pane. For most group types, the Fetch Member From Column list box will appear; for paired attribute groups (Object Command, Object Field, or Client IP/DB User), two list boxes will appear: Choose Column for Attribute 1 and Choose Column for Attribute 2. Select the column (or columns) to be used to populate the group. The run-time parameters for the query will then be added to the pane.
Enter the required From Date and To Date run-time parameters, and any additional run-time parameters for the query.
Optionally select a remote source (only available from a Central Manager).
Click Save to save the definition.
Click Run Once Now to run the query immediately, or click the Modify Schedule button (see Scheduling) to define a schedule for the operation. If you run the task immediately, you will be informed of the results.
Use the Manage Members for Selected Group panel to manually edit group members. If that panel is not open, see Open the Group Builder, select the group you want to edit, and click the Modify button.
Do one of the following:
Enter the new member name in the Create & add a new Member named box.
Select an available member name from the Add an existing Member to Group box.
Click the 
button to the right of the item just entered
or selected.
Click the Done button when you have finished making all changes.
In the Group Members list, select the member to be renamed. It will display in the Rename Selected Member to box.
In the Rename selected Member to box, edit the name.
Click the 
button to the right of the box. The updated
name will replace the old name in the list. Because the list is alphabetized,
the new name may not appear in the same position as the old one.
Click the Done button when you have finished making all changes.
In the Group Members list, select the member to be removed.
Click the 
button beside Delete
Selected Member.
Click the Done button when you have finished making all changes.
Note: All of the “automatic” methods that can be used to populate groups: LDAP import, group import from the Administrator Console, member population from stored procedures, or member population from a query – add members to groups, but never remove members.
Click the Reset to Predefined button to completely replace the current group members with the set of predefined members for this group.
If the Group Builder is not open, see Open the Group Builder, above.
In the Modify Existing Groups panel, select a group for adding or editing aliases.
Click the Aliases button to open the Alias Quick Definition window.
Enter aliases in the Alias column. The first value shown is always the group name. If an alias is defined for the group name, the alias displays in reports that are grouped by objects.
When done applying all aliases, click the Apply, and then click the Close this window link.
Open the Group Builder. (See Open the Group Builder, above.)
Select the group you want to delete.
Click the Remove button and respond to the prompt to confirm the action.