The management of users and roles is usually reserved for the access manager: the Guardium user who is assigned the accessmgr user name. Defining and modifying users involves deciding both who will be using the Guardium system and to what roles they will be assigned. A role is a group of users, all of whom are granted the same access privileges. For more information on roles, see Manage Roles.
Note: A default layout can be defined for a role, so that any new user assigned that role will have that layout. See Generate New Layout in the CLI Reference.
User definitions can be imported from an LDAP server, on demand or on a schedule. For more information, see Import Users from LDAP.
Regardless of how users are defined to the Guardium appliance, the Guardium administrator can configure the appliance to authenticate users via Guardium, LDAP, or Radius. See Authentication Configuration in the Guardium Administration Guide for more information.
When getting started with a Guardium appliance, an important early task is to identify which groups of users will use that appliance, and what their function will be. For example, an information security group might use Guardium for alerting and troubleshooting purposes; a database administrator group might use Guardium for reporting and monitoring. When deciding who will access the Guardium system, keep in mind that sensitive company data can be picked up by the system. Therefore, be very aware of who will be able to access that data.
Once you decide which groups of users will use the Guardium system (and for what purpose), collect the following information for each user:
User’s first and last name
User account name (the name they will use to log in)
User’s email address
User’s function/role with Guardium
Several settings can be changed to provide additional security for user accounts. You can enable or disable these settings using the show and store password CLI commands (see User Account, Password and Authentication CLI Commands in the CLI Reference).
By default, password validation is enabled. This means that a minimum of eight characters is required, and the password must contain at least one character from each of the following categories:
Uppercase letters: A-Z
Lowercase letters: a-z
Digits: 0-9
Special characters: @#$%^&.;!-+=_
By default, password expiration is disabled. Passwords can be configured to expire after a fixed number of days.
By default, account lockout following a specified number of failed login attempts is disabled. Lockout can be configured to occur after a fixed number of attempts in a given time, or after a total number of attempts for the life of the account.
The Guardium access manager can enable a disabled user account from the User Maintenance panel.
If the admin user account becomes locked, use the unlock admin CLI command to unlock it (see Configuration and Control CLI Commands in the CLI Reference).
Select Access Management > User Browser to open the User Browser panel.
Click the Add User link at the bottom of the panel to open the User Form panel.
Enter a unique name in the Username box. Do not include apostrophe characters in the name. User names are not case sensitive.
Enter a password in the Password
box, and again in the Password (confirm)
box. The password you assign will be temporary, and the user will be required
to change it following the first login. Passwords are case sensitive.
When password validation is enabled (the default), the password must be
eight or more characters in length, and must include at least one uppercase
alphabetic character (A-Z), one lowercase alphabetic character (a-z),
one digit (0-9), and one special character from the following set: @$%^&.;!-+=_
If password validation is disabled, any characters are allowed.
Enter the user’s first name in the First Name box.
Enter the user’s last name in the Last Name box. Regarding the last name, restrictions apply for investigation users: the last name must be INV_1, INV_2 or INV_3. This is not enforced by the GUI, but is required for the Investigation application to function properly. An investigation user must have the role inv, and no other roles, including user. This is the only case where the user or admin role is not required.
Enter the user’s email address in the Email box.
Clear the Disabled box to enable the user. We suggest that you defer enabling the account until after the correct set of roles have been assigned for the user. When a user logs in for the first time, their layout is built using all of the roles assigned at that time. If roles are added later, the user has access to everything available to that role, but will have to add reports or applications particular to that role manually. It is much simpler to assign the roles first, so that the user has all components in their layout the first time they log in.
Click Add User to save the new user account definition and close the panel.
This completes the User definition. We suggest that you add the appropriate Roles for the user before informing them of their password for the initial login. See Role Management.
Select Access Management > User Browser to open the User Browser panel.
Click the Edit link for the user.
Replace any values in the User Form panel.
Click the Update User button.
Select Access Management > User Browser to open the User Browser panel.
Click the Edit link for the user.
Clear the Disabled checkbox.
If the user has forgotten their password, enter a new password in both the Password and Password (confirm) boxes.
Click the Update User button.
Select Access Management > User Browser to open the User Browser panel.
Click the Remove link for the user. This opens the User Form for the user.
Click the Confirm Deletion button.