Manage Users

Use the access manager, assigned the user name accessmgr, to add user accounts, enable or disable user accounts, import members from LDAP, or edit user permissions. Open the User Browser and browse the user accounts by clicking Access > Access Management > User Browser

Defining and modifying users involves deciding both who will be using the Guardium® system and to what roles they will be assigned. A group of users can all have the same role and the same access privileges if you so choose. For more information on roles, see Understanding Roles.

Note: A default layout can be defined for a role, so that any new user assigned that role will have that layout. See Generate New Layout in the CLI Reference.

User definitions can be imported from an LDAP server, on demand or on a schedule.

Regardless of how users are defined to the Guardium system, the Guardium administrator can configure the system to authenticate users via Guardium, LDAP, or Radius.

When getting started with your Guardium system, an important early task is to identify which groups of users will use the system, and what their function will be. For example, an information security group might use Guardium for alerting and troubleshooting purposes while a database administrator group might use Guardium for reporting and monitoring. When deciding who will access the Guardium system, keep in mind that sensitive company data can be picked up by the system. Therefore, be very aware of who will be able to access that data.

Once you decide which groups of users will use the Guardium system (and for what purpose), collect the following information for each user:

User Account Security

Several settings can be changed to provide additional security for user accounts. You can enable or disable these settings using the show and store password CLI commands (see User Account, Password and Authentication CLI Commands in the CLI Reference).

  • By default, password validation is enabled. This means that a minimum of eight characters is required, and the password must contain at least one character from each of the following categories:
    • Uppercase letters: A-Z
    • Lowercase letters: a-z
    • Digits: 0-9
    • Special characters: @#$%^&.;!-+=_
    Note: If password validation is disabled, any characters are allowed.
  • By default, password expiration is enabled. Passwords can be configured to expire after a designated number of days.
  • By default, account lockout following a specified number of failed login attempts is enabled. Lockout can be configured to occur after a fixed number of attempts in a given time, or after a total number of attempts for the life of the account.

Locked Accounts

  1. Open the User Browser by clicking Access > Access Management to view the list of users.
  2. Click Edit for any user, clear the Disabled check box, and click Update User to save changes.
    Note: If the admin user account becomes locked, use the unlock admin CLI command to unlock it (see Configuration and Control CLI Commands in the CLI Reference).

Create a User Account

  1. Open the User Browser and click Add User to open the User Form panel.
  2. Enter a unique name for Username. Do not include apostrophe characters in the name. User names are not case sensitive.
    Note: When adding a user manually, from either the Add User panel or User LDAP Import, if there is no first name and/or last name, the login name will be used.
  3. Enter a password and confirm it again in the Password (confirm) box. The password you assign will be temporary, and the user will be required to change it following their first login.
    Note: Passwords are case sensitive. When password validation is enabled (the default), the password must be eight or more characters in length, and must include at least one uppercase alphabetic character (A-Z), one lowercase alphabetic character (a-z), one digit (0-9), and one special character from the following set: @$%^&.;!-+=_
    Note: Non-Latin characters, for example, Chinese, Japanese, are not supported in the username.
  4. Enter the user’s first and last name in the respective fields.
    Note: Restrictions apply to the last name for those users assigned the Investigation Data Restore role (inv). If you want to assign a user the investigator role, their last name must be INV_1, INV_2, INV_3. The UI will not restrict you from entering something different in this field, but the application will not function properly unless the last name is entered as shown. Further, the investigator cannot be assigned any additional roles - they must be inv only. This is the only case where it is not required to have a user or admin role.
  5. (Optional) Enter the user’s email address.

  6. (Caution) The Disabled check box is checked by default. We suggest that you defer clearing the check box and enabling the account until after the correct set of roles have been assigned for the user.

    It is much simpler to assign the roles first, so that the user has all components in their layout the first time they log in. When a user logs in for the first time, their layout is built using all of the roles assigned at that time. If roles are added later, the user has access to everything available to that role, but will have to add reports or applications particular to that role manually.

  7. Click Add User to save the new user account definition and close the panel.

This completes the user definition. We suggest that you add the appropriate roles for the user before informing them of their password for the initial login. See Understanding Roles for more information.

Enable/disable many users

Open the User Browser and click Search Users to easily filter users by role. When you select a user, you have the option to enable or disable the user. Because users are disabled by default, this menu can be very useful to easily change the status of many users.

Update a User Account

  1. Open the User Browser and click Edit for the user you want to modify.
  2. Replace any values in the User Form panel.
  3. Click Update User to save changes.
Note: Changing a user's password will require the user to change it following their next login.

Enable a Disabled User Account

  1. Open the User Browser and click Edit for the user you want to enable.
  2. Clear the Disabled check box.
  3. If the user has forgotten their password, enter a new password in both the Password and Password (confirm) boxes.
  4. Click Update User.

Remove a User Account

  1. Open the User Browser by clicking Access > Access Management .
  2. Click Delete for the user you want to remove.
  3. Click Confirm Deletion.
Note: Alerts that were sent to deleted user will be sent now to the admin; however this will not take effect until the access policy is re-installed.

Define the Data Security User Hierarchy

  1. Click Data Security > User Hierarchy.
  2. Select a user from the User menu to refresh the screen and display the selected user's current hierarchy in the user pane.
  3. Right-click a user node for the following op:
    • Add User - Clicking Add User displays the Add User dialogue. Search or filter by role, and add a user as a descendent of the selected user.

      This can create a measure of data-level security, by permitting the parent of a hierarchy to look at specified servers and databases, but not the children of the hierarchy. Depending on the configuration, inheritance can also take place in that the parent inherits the data-level security of the child.

      Note: Many-to-many relationships are permitted where a user may have more than one parent and a parent may have more than one user.
    • Unlink User from parent - will sever the descendent from the parent
    • Remove all descendents - will sever all descendents from the parent
  4. Click Refresh Cached Hierarchy to apply the recent changes to the user hierarchy map.
  5. Click Full Update Active User-DB Map to fully apply all recent changes to the active User-DB association map.
    Note: Best practices dictate a Full Update Active User-DB Map after changing the User Hierarchy.

    When you make a change to a hierarchy or to a database association (via UI or GuardAPI), this change DOES NOT take effect automatically. The Periodic Update will NOT pick up this change, unless it is the FIRST time the Periodic Update has run. Otherwise, the user MUST click Full Update or run the Full Update GuardAPI command for their changes to take effect.

    A periodic update of the user hierarchy is run every 10 minutes automatically. This cannot be run manually. This is an incremental update, meaning that it is only looking at new server IPs or Service Names that have been sniffed since the last time the periodic update was run. It compares the existing hierarchy and associations against the new IPs/Service Names and determines what users should have access to these IPs/Service Names.

    A full update of the user hierarchy is NOT run automatically. It is only run when the user executes it, either via the UI or GuardAPI function. This compares ALL IPs/Service Names to the existing hierarchy and associations to determine who has access to what.

Define the Data Security User to Database Association

Use the Data Security User-DB Association to find, assign, or remove users from available servers and service names (databases).

  1. Open the User-DB Association panel by clicking Data Security > User-DB Association.
  2. Select the check boxes of the Server & Service Name Suggestion to find databases and service names to associate to users. Choices include:
    • Observed Accesses - Observed traffic from Guardium internal database table GDM_Access
    • Datasource Definitions - Existing datasource definition information such as name, database type, authentication information, and location of datasource.
    • S-TAP® Definitions - Existing S-TAP definition information such as the IP address of the database server and the IP address of the Guardium host that will receive data from S-TAP.
    • Auto-Discovered Hosts - Hosts discovered by the Guardium Auto-discovery process that were not previously known. Guardium's Auto-discovery application can be configured to probe the network, searching for and reporting on all databases discovered.
    • Guardium Install Manager (GIM)-Discovered Systems - Hosts discovered by the GIM that were not previously known.
  3. Click Go to find and display available servers, service names, and currently associated users.
    Note: When traversing the node tree, numerical indicators are displayed next to each server and service name to provide a count of direct and descendant users that have been associated. The indicators take the format of [nn] for direct association and (mm) for descendant association (a server or service name within the current server has a user associated to it for example). Likewise, when viewing the users associated to a server or service name, if there is a user associated to a larger level node in the tree, that user will be displayed.
  4. Click a server or service name node to display associated users. With any node selected, you can do one of the following:
    • Click Add User to add a new user-DB association, click any users you want to add, and then click Add.
    • Click Add Group to add a new group-DB association. When Add Group is selected, groups that were created using the Group Builder for group type Guardium Users will be displayed. Select the group you'd like to add and click Add.
    • Right-click any server or service name node to do one of the following:
  5. Right-click any server or service name node, and you are presented with options to do one of the following:
    • Highlight the server
    • Expand or collapse the server
    • Find a server
    • Add server, service name, or unnamed service
    • Delete the server
  6. Add an IP or IP/Service Name pair using the IP and Service Name fields before the tree structure.
    Note: The Find button can be used to search the IP/Service Name tree structure. IP strings may be entered as partials or include the wild card * such that 192.168 and 192.168.*.* are both valid. Numeric values cannot trail the use of any wild card or be used with the wild card to form an octet. Service Name names may include the wild card % anywhere within their name.
  7. Click Full Update Active User-DB Map to fully apply all recent changes to the active User-DB association map.
    Note: Best practices dictate a full update of the active User-DB map after changing the User-DB Association.

    A full update of the user hierarchy is NOT run automatically. It is only run when the user executes it, either via the Full Update Activer User-DB Map button or the GuardAPI function. This compares ALL IPs/Service Names to the existing hierarchy and associations to determine who has access to what.

    A periodic update of the user hierarchy is run every 10 minutes automatically (cannot be run manually). This update is only looking at new server IPs or Service Names that have been sniffed since the last time the periodic update was run. It compares the existing hierarchy and associations against the new IPs/Service Names and determines what users should have access to these IPs/Service Names.

    When you make a change to a database association (via UI or GuardAPI), this change DOES NOT take effect automatically. The periodic update will NOT pick up this change, unless it is the FIRST time the periodic update has run. Otherwise, the user MUST click the Full Update Activer User-DB Map button, or run the full update GuardAPI command for the changes to take effect.

Parent topic: Access Management Overview