Groups

Groups Overview

It is often useful to group elements of the same type. Grouping can simplify the process of creating policy and query definitions. It can also make the presentation of information on reports more straightforward.

For example, assume that your company has 25 separate data objects containing sensitive employee information, and you need to report on all access to these items. You could formulate a very long query testing for each of the 25 items. Alternatively, you could define a single group called sensitive employee info, containing those 25 objects. That way, in queries or policy rule definitions, you only need to test if an object is a member of that group.

An additional benefit of groups is that they can ease maintenance requirements when the group’s composition changes. To continue the example, if your company decides that two more objects need to be added to the sensitive employee info group, you only need to update the group definition, and not all of the queries, reports, policies, etc. that reference the group.

Note: If a group used by the installed security policy changes, the security policy must be re-installed to pick up the changed group membership. This allows you to update a group without having an instantaneous effect on the installed security policy.

Groups are used by all subsystems, and all users share a single set of groups. You should, therefore, be very careful when making changes to or deleting groups, since you may inadvertently affect other users. A common best practice is to clone a group. Then make changes to it, tagging it with your name as part of the group’s name, to clarify that you own this group.

Some groups contain members that are composites of two other attributes, sometimes referred to as tuple. This simplifies the specification of conditions for reporting and policy rules.  For example:

Options for Populating Groups with Members

Using the Group Builder, you can populate a group with members either by entering them one at a time manually, or automatically as follows:

Once you have configured a group to be populated automatically using any of the above techniques, you can run the job on demand, or you can schedule it to run at a specific time or on a periodic basis. With any of the automatic group population mechanisms, members may be added to existing groups, but members will not be removed.

Regardless of how a group is populated, you can always edit the group membership manually.

Overlapping or Exclusive Group Membership

In some cases you will want to define groups with overlapping membership. For example, two predefined groups: Create Commands and DDL Commands both have a member named CREATE TABLE. Since both groups contain a member with the same name, these groups are said to have overlapping membership. If you are querying for either one group or the other, all of the Create Table commands from the reporting period will be counted in that group (as expected). In contrast, if you run a report that does not select on a single command group, and on the Customize Portlet panel you select Commands from the GROUPING_SUB_TYPE list, each Create Table command from the reporting period will be counted in both groups, and perhaps other command groups as well.

In some cases you may want to define a set of groups such that each member belongs to only one group. These groups have exclusive membership. For example, suppose that for reporting purposes you need to group database users into one of two groups: Employees or Consultants. You would define each of those groups with the same sub-group type (Employee-Status, for example). When a sub-group type is specified, the system will not allow you to define a member with the same name that has already been defined in another group with the same sub-group type.

Predefined Groups

There are a number of groups predefined on Guardium appliance. For a list and description of these, see Predefined Groups in the Predefined Content appendix.

Wildcards in Members

Members can include wildcard (%) characters for use when the group is used in a query condition or policy rule. See the examples in the table below.

Member

Matches

Does NOT Match

aaa%

aaa
aaazzz

zzzaaa
aaz

%bbb

bbb,zzbbb

bb
bbbzzz

%ccc%

ccc
ccczz
zzzccczzz

cc
zzzcczzz

Use Groups in Queries

There are several conditional operators that apply to groups. These operators are available whenever the attribute included in the condition may be a member of a group. Each conditional operator is described below:

Use Groups in Policy Rules

In a policy rule, there are several ways groups can be used either alone or in combination to control when the rule is fired. Wherever a group can be selected, a new group can be defined (and then selected) by clicking the Group tool button.

Be aware that the members of the group may contain wildcard (%) characters, so that in the examples below where a group is selected, an individual member may match multiple values.

The examples below are for the DB User attribute, but apply to all attributes where the group may be selected.

To match any member of a group

Select a group from the group list box:

A single combined count of matches will be maintained for all members of the specified group. So if the rule is defined to fire after the third match in a specified timeframe, three different users or the same user could trigger the rule.

To match the specified value or any member of a group



A single combined count of matches will be incremented each time that the named DB User or any member of the selected group satisfies the rule. This is similar to the above case in that a combined count is maintained.

To match any member of a group, but count matches for each member individually

Enter a dot (period) character in the text box, and select a group:

A separate count will be kept for every member of the selected group, and the rule will be triggered whenever the minimum count for the rule is met by an individual member.

Distribute Compliance Workflow Automation Results to Groups

When a USERS group is selected as a receiver in a workflow automation definition, every user of the group will receive a set of results. For any task within the process that is associated with specific users (either by using the special ./LoggedUser value as a run-time parameter or via a custom domain), that task will be run separately for each user of the group, so that each user will receive results for their account only.

Open the Group Builder

Do one of the following:

The Group Builder opens two panels. Return to the topic list at the top of this help page, and select one of the modify or populate topics.

Create a New Group

  1. Open the Create New Group panel. (See Open the Group Builder, above.)

  2. In the Group Description field, enter a unique description for the new group. Do not include apostrophe characters in this field.

  3. Select a Group Type Description from the list.

  4. If sub-types have been defined for the selected group type, an Existing Sub-types field appears in the panel.

  5. Optionally, enter a Group Sub Type Description. A sub type is used to collect multiple groups of the same group type, where the membership of each group is exclusive. For example, assume that you have database servers located in three data centers, and that you want to group the servers by location. You would define a separate group of database servers for each location, and define all three groups with the same sub type.

  6. Optionally, enter a Category, which is an optional label used to group items like policy violations or groups.

  7. Optionally, enter a Classification, which is another optional label used for policy violations and groups.

    Note
    : Before clicking the Add button to save the new group definition, be aware that you cannot change any of the information entered on this panel. If you need to change anything later, you will need to clone the group.

  8. Click the Add button. This opens the Manage Members for Selected Group panel. See Manually Edit Group Membership, below, for a description of how to add, modify, and remove members of the group. Once you have added a group definition, you cannot change any of the settings on the Create New Group panel.

Modify an Existing Group

  1. Open the Group Builder. (See Open the Group Builder, above.)

  2. Select the group you want to modify.

  3. Click the Modify button. This opens the Manage Members for selected Groups panel.

  4. Do one of the following:

Populate a Group from LDAP

You can populate groups from an LDAP server. To do this, first define a group, and then configure an import operation to obtain the appropriate set of members from an LDAP server. You can run the import operation on demand, or schedule it to run at a specific time or on a periodic basis. When you run the import on demand, you are presented with the set of LDAP entries that satisfy your search criteria, and you must select which ones should be added to the group. When run on a scheduled basis, all entries returned by your search will be added to the group.

Note: An LDAP import operation adds members to a group. It does not delete members.

Note: Guardium administrators use a separate LDAP Import function to define Guardium users and roles from an LDAP server. See LDAP User Import.

To configure a group-member import from an LDAP server:

  1. If the Group Builder is not open, see Open the Group Builder, above.

  2. In the Modify Existing Groups panel, select the group to which you want to add members.

  3. Click the LDAP button to open the Set Up LDAP Import panel.

  4. In the LDAP Host Name box, enter the IP address or host name for the LDAP server to be accessed.

  5. In the Port box, enter the port number for connecting to the LDAP server.

  6. Select the LDAP server type from the Server Type list.

  7. Mark the Use SSL Connection checkbox if Guardium is to connect to your LDAP server using an SSL (secure socket layer) connection.

    Note
    : Consult with your LDAP administrator regarding the setup within your LDAP infrastructure to determine the connection method used in your environment.  

  8. In the Base DN box, specify the node in the tree at which to begin the search; for example a company tree might begin like this: DC=encore,DC=corp,DC=root

  9. For Import Mode, select Add on to add, but not replace member information, or select Override to replace existing member information. Regardless of the selection, no members will be deleted.

  10. In the Log In As box, enter the user account to use for the connection from the Guardium server.

  11. In the Password box, enter the password for the above user.

  12. In the Search Filter box, optionally enter LDAP search criteria. Typically, imports will be based on membership in an LDAP group, so the filter might use the memberOF keyword and look something like this: memberOf=CN=syyTestGroup,DC=encore,DC=corp,DC=root  
    See your LDAP server documentation if you need help in this area.

  13. For Search Filter Scope, select One-Level to apply the search to the base level only, or Sub-Tree to apply the search to levels beneath the base level.

  14. In the Limit box, enter the maximum number of items to be returned. We recommend that you use this field to test new queries or modifications to existing queries, so that you do not inadvertently load an excessive number of members.

  15. In the Attribute to Import box, enter the LDAP attribute to be used to populate the group member. The default is CN.   

  16. Click the Apply or Update button to save the configuration. (After you have saved the configuration once, the Apply button becomes an Update button.)

    Note
    : After saving an LDAP import configuration, you can perform the following tasks, each of which is described in a separate section. Because it is easy to miscode LDAP queries, we suggest that you test each new or modified query by using the Limit field (described above) and by running the query once on demand (see below), to verify that the correct set of members is being returned.

  17. Perform one of the following procedures:

Run an LDAP Import On Demand

When you run an LDAP import on demand, you have the opportunity to accept or reject each of the members returned by the query. This is especially useful for testing purposes.

  1. If the Group Builder is not open, see Open the Group Builder, above.

  2. In the Modify Existing Groups panel, select the group to which you want to add members.

  3. Click the LDAP button to open the Set Up LDAP Import panel.

  4. Click the Run Once Now button. (If you have made any changes, the button will be disabled until you have applied the changes.)

  5. After the task completes, the set of members satisfying your selection criteria will be displayed in the LDAP Query Results panel.

  6. Mark the items you want to add to the group, and click Import, or click Cancel to return without importing any members.

You can verify the group members by returning to the Modify Existing Groups panel, selecting the appropriate group from the list, and clicking Modify, or you can use a predefined report to list the group members. The latter approach provides more information, as it shows the timestamp when each member was added to the group. See Reports Showing Group Membership.

Schedule an LDAP Import

When you schedule an LDAP import to run at a specific time or on a periodic basis, all of the LDAP entries that satisfy your search criteria will be imported to the group. In contrast, when the query is run on demand (see the previous topic), you have the opportunity to accept or reject each entry returned from the LDAP server.

  1. If the Group Builder is not open, see Open the Group Builder, above.

  2. In the Modify Existing Groups panel, select the group for which you want to schedule an LDAP import task.

  3. Click the LDAP button to open the Set Up LDAP Import panel.

  4. Click the Modify Schedule button. (If you have made any changes to the LDAP import configuration for this group, the button will be disabled until you have applied the changes.)

For instructions on how to use the general-purpose task scheduler, see Scheduling.

Once a schedule has been defined, a Pause button appears on the Set Up LDAP Import panel. If you click that button, the schedule is paused, and the Pause button is replaced by a Resume button.

Once a scheduled task has run, you can verify the group members by returning to the Modify Existing Groups panel, selecting the appropriate group from the list, and clicking Modify, or you can use a predefined report to list the group members. The latter approach provides more information, as it shows the timestamp when each member was added to the group. See Reports Showing Group Membership.

Reports Showing Group Membership

You can check a group's membership by opening it in the Modify Existing Groups pane of the Group Builder (as described above), but it can be difficult to view large groups that way, and you are limited to displaying one group at a time. Alternatively, you can use the predefined Guardium Group Details Report, which lists groups and members.

Guardium Group Details Report

The predefined Guardium Group Details report is on the default administrator layout, on the Guardium Monitor tab, and it can be added to a user layout from the Custom Reporting tab (click Monitor/Audit, then Build Reports).

You can use the Group Description or Group Type run-time parameters to control what groups will be listed.

Populate a Group from Stored Procedures

The Group Builder can automatically populate Command or Object groups by analyzing and extracting member names from stored procedures. It can do this in two ways:

There are two groups involved when populating a group from stored procedures:

To get started:

  1. If the Group Builder is not open, see Open the Group Builder, above.

  2. In the Modify Existing Groups panel, select the group, which must be either a Commands or Objects group.

  3. Click the Auto Generated Calling Prox button, and you will be presented with two choices. Click one of the links below to continue with the appropriate procedure:

Populate a Group Using DB Sources

Guardium will analyze the stored procedure source code, on one or more database servers. To use this method:

To populate a group using database sources:

  1. On the Modify Existing Groups panel, select the starting group, click the Auto Generated Calling Prox button, and select the Using DB Sources option, as described above. This opens the Analyze Stored Procedures panel.

  2. Click the Add Datasource button to open the Datasource Finder window. (See Datasources for  detailed instructions on how to define and use datasources.)

  3. Select a datasource from the list, and click the Add button. The selected datasource will appear in the Datasources pane of the Analyze Stored Procedures panel.

  4. Use the Query Parameters (Optional) pane to restrict the operation, as described below. If a box is not available for the selected database type, it will not appear on the pane.

  1. In the Source Detail Configuration pane, mark the Flatten Namespace checkbox to create member names using wildcard characters, so that the group can be used for LIKE GROUP comparisons. For example, if sp_1, is discovered, the member %sp_1% will be added to the group, and in a LIKE GROUP comparison, the values sp_101, sp_102, sss_sp_103, etc. would all match.

  2. Do one of the following:

  3. Click the Analyze Database button. Because the operation may take an extended amount of time, you are prompted to continue. When the analyze database operation completes, you will be informed of the results.

Populate a Group Using Observed Procedures

Guardium will populate the group by inspecting all changes or additions to stored procedures. This keeps the mapping information up-to-date through continuous analysis of changes to stored procedures. Therefore, this function can be used to augment the static analysis described in the previous section.

To populate a group using observed procedures:

  1. On the Modify Existing Groups panel, select the starting group, click the Auto Generated Calling Prox button, and select the Using Observed Procedures option, as described above. This opens the Analyze Observed Stored Procedures panel.

  2. Multiple analysis operations can be defined and scheduled, with each previously defined configuration available for editing from the Source Details list. To edit an existing configuration, select it from the Source Details list.

  3. In the Access Information pane, select all of the database servers to be analyzed. You can mark any combination of check-boxes.

  4. In the Source Detail Configuration pane, mark the Flatten Namespace checkbox to create member names using wildcard characters, so that the group can be used for LIKE GROUP comparisons. For example, if sp_1, is discovered, the member %sp_1% will be added to the group, and in a LIKE GROUP comparison, the values sp_101, sp_102, sss_sp_103, etc. would all match.

  5. Do one of the following:

  6. Click the Save button to save the configuration.

  7. Click Run Once Now to run the query immediately, or click the Modify Schedule button (see Scheduling) to define a schedule for the operation. If you run the task immediately, you will be informed of the results.

Populate a Group from a Query

This method of populating groups is most useful after the external data connector has uploaded a custom table has been to the Guardium appliance.

  1. If the Group Builder is not open, see Open the Group Builder, above.

  2. In the Modify Existing Groups panel, select the group to which you want to add members.

  3. Click the Populate From Query button to open the Populate Group From Query Set Up panel. Initially, only the Query list box displays in the Set Up Query To Run pane.

  4. From the Query list, select the query to be run. Depending on the type of group being populated, either one or two additional list boxes will appear in the pane. For most group types, the Fetch Member From Column list box will appear; for paired attribute groups (Object Command, Object Field, or Client IP/DB User), two list boxes will appear: Choose Column for Attribute 1 and Choose Column for Attribute 2. Select the column (or columns) to be used to populate the group. The run-time parameters for the query will then be added to the pane.

  5. Enter the required From Date and To Date run-time parameters, and any additional run-time parameters for the query.

  6. Optionally select a remote source (only available from a Central Manager).

  7. Click Save to save the definition.

  8. Click Run Once Now to run the query immediately, or click the Modify Schedule button (see Scheduling) to define a schedule for the operation. If you run the task immediately, you will be informed of the results.

Manually Edit Group Members

Use the Manage Members for Selected Group panel to manually edit group members. If that panel is not open, see Open the Group Builder, select the group you want to edit, and click the Modify button.

To Add Members

  1. Do one of the following:

  2. Click the Add to group button button to the right of the item just entered or selected.

  3. Click the Done button when you have finished making all changes.

To Rename Members

  1. In the Group Members list, select the member to be renamed. It will display in the Rename Selected Member to box.

  2. In the Rename selected Member to box, edit the name.

  3. Click the Rename group member button to the right of the box. The updated name will replace the old name in the list. Because the list is alphabetized, the new name may not appear in the same position as the old one.

  4. Click the Done button when you have finished making all changes.

To Remove Members

  1. In the Group Members list, select the member to be removed.

  2. Click the Remove member button beside Delete Selected Member.

  3. Click the Done button when you have finished making all changes.

Note: All of the “automatic” methods that can be used to populate groups: LDAP import, group import from the Administrator Console, member population from stored procedures, or member population from a query – add members to groups, but never remove members.

To Reset to Predefined Membership

Click the Reset to Predefined button to completely replace the current group members with the set of predefined members for this group.

Alias Quick Definition from the Group Builder

  1. If the Group Builder is not open, see Open the Group Builder, above.

  2. In the Modify Existing Groups panel, select a group for adding or editing aliases.

  3. Click the Aliases button to open the Alias Quick Definition window.

  4. Enter aliases in the Alias column. The first value shown is always the group name. If an alias is defined for the group name, the alias displays in reports that are grouped by objects.

  5. When done applying all aliases, click the Apply, and then click the Close this window link.

Delete a Group

  1. Open the Group Builder. (See Open the Group Builder, above.)

  2. Select the group you want to delete.

  3. Click the Remove button and respond to the prompt to confirm the action.

  4.  Back to top