A role is a group of Guardium users, all of whom have the same access privileges. The access manager defines roles, and assigns them to users and applications. When a role is assigned to an application or the definition of an item (a specific query, for example), only those Guardium users who are also assigned that role can access that component.
If no security roles are assigned to a component (a report, for example), only the user who defined that component and the admin user can access it.
At installation time, Guardium is configured with a default set of roles, and a default set of user accounts.
When user definitions are imported from an LDAP server, the groups to which they belong can optionally be defined as roles. For more information, see LDAP User Import.
Each default role comes with a default layout. When a user logs in for the first time, that user's initial layout is determined by the roles assigned. After the initial login, adding or removing roles will not alter the user's layout. After a role is removed, if the user attempts to access reports or applications that are no longer authorized, a "not authorized" message will be produced.
The Guardium system is pre-configured to support users who fall into four broadly defined default roles: admin, user, access manager and investigations. The default roles are described below. The Guardium access manager can create new roles as well. Users must always be assigned one of the default roles (below), but may be assigned any number of other roles, as well.
|
Default Role |
Description |
|
user |
Provides the default layout and access for all common users |
|
admin |
Provides the default layout and access for Guardium administrators. Do not confuse the admin role with the admin user, which is a special user account having the admin role, but also having additional powers reserved for the admin user account only (described later). |
|
accessmgr |
Provides the default layout and access for the access manager |
|
inv |
Provides the default layout and access for investigation users. An investigation user must have the restore-to database name of INV_1, INV_2 or INV_3, as the Last Name in their user definition. This is not enforced by the GUI, but is required for the application to function properly. When assigned, the user role must also be assigned. |
In addition to the default roles, a set of sample roles is also defined.
|
Sample Role |
Description |
|
dba |
Users who have a database-centric view of security, allowing access to database-related reports and tracking of database objects |
|
infosec |
Users who have an information security focus, including tracking access to the database, and handling network requests, audits, and forensics |
|
netadm |
Users who have a network-centric view, including IP sources for database requests |
|
appdev |
Application developers, architects, and QA personnel who have an application centric focus and want to track and report on SQL streams generated by an application |
|
audit |
Auditors and others who need to view audit reports |
Some roles are used to control access to add-on products, and include the roles listed below. The add-on products are activated by license key, so before assigning these roles to a user, be sure that the add-on has been activated.
|
Product Role |
Description |
|
cas |
Change Audit System (CAS) |
|
pci |
PCI Accelerator |
|
sox |
SOX Accelerator |
In Central Manager environments, all User Accounts, Roles, and Permissions are controlled by the Central Manager. To administer any of these definitions, you must be logged into the Central Manager (and not to a managed unit).
Select Access Management > Security Role Browser to open the Role Browser panel.
Click the Add Role link at the bottom of the panel to open the Role Form panel.
Enter a unique name for the role in the Role Name box.
Click the Add Role button.
Select Access Management > Security Role Browser to open the Role Browser panel.
Click the Remove link for the role. This opens the User Form for the user.
Click the Confirm Deletion button. A message will display informing you that all references to the role will be removed, and you will be asked to confirm the action.
Click OK to confirm the deletion, or Cancel to abort the operation.