If you have multiple systems with identical or similar
requirements, you can define the components that you need on one
system and export those definitions to other systems, provided the
system receiving the export is the same software release level or
higher.
You can export one type of definition (reports, for example) at
a time. Each element that is exported can cause other referenced definitions
to be exported as well. For example, a report is always based on a
query, and it can also reference other items, such as IP address groups
or time periods. All referenced definitions (except for security roles)
are exported along with the report definition. However, only one copy
of a definition is exported if that definition is referenced in multiple
exported items. An export of policies or queries exports only the
groups that are referenced by the exported policies or queries. Previously
an export of policies or queries would export all groups.
- Export/Import Definitions
- Export and Import Definitions are used to save and then restore
functional data from a given Guardium system. For example, this function
enables you to create a report on one Guardium system and then import
that same report onto another server with the same Guardium installed
version or higher.
Note: This function is not the same as a full backup
of the server. Backups should still be defined and run on a scheduled
or manual basis.
- Export Definitions - Are used to save and share defined functional
values such as Reports/Queries, CAS data, Classifier Data, and so
on. The export types are saved onto your PC as a .sql file type.
- Import Definitions - This function is used to import the exported
definitions onto servers that use the SAME Guardium Software version
or higher. For example, if you export definitions from a Guardium
V10 system, then you can import those definitions only onto another
V10 system.
Note: - When you export graphical reports, the presentation parameter
settings (colors, fonts, titles, and so on) are not exported. When
imported, these reports use the default presentation parameter settings
for the importing system.
- Subscribed groups are not exported. When you export definitions
that reference subscribed groups, the user must ensure that all referenced
subscribed groups are installed on the importing appliance.
- The logs of Export/Import Definitions have the same retention
period than the monitored database activity logs.
- Comments are not included in export.
- When audit process definitions of scheduled runs (including schedule
time) are exported to another system, the ACTIVE check box in Audit
Process Builder is not checked (INACTIVE).
- Schedule Start Time of an audit process defined on one appliance
and exported to another (unrelated) appliance - In the case that the
original schedule start time is defined, it is retained. If the original
schedule start time is not defined (empty), then the imported schedule
start time is set to the time it was imported.
- When you export a datasource with an open source driver, the open
source driver is not included in the export. The user needs to first
upload the open source driver into the new system before importing
the datasource definition that was created using it, otherwise the
data direct driver will be substituted for the open source driver
when it is imported.
- Large complex imports can take a very long time and can exceed
the length of the user's session. If this happens and the session
times out, the import continues to run in the background until it
completes.
- When you export the definition of classifier policies - any custom
evaluation classes associated with the policies are not exported with
the definition. For the imported policies to work custom evaluation
classes must be uploaded separately.
- Exporting/Importing definitions between different languages does
not work. For example, trying to export a file from a Guardium® system with a language of Simplified
Chinese and import that file to a Guardium system
of English will not be successful.
Export to XACML Protocol
Guardium supports
export of Policy Rules to a XACML file, and import of XACML files
to another Guardium system.
The XACML (eXtensible Access Control
Markup Language) is a declarative access control policy language that
is implemented in XML and a processing model, describing how to interpret
the policies.
The export/Import to standard XACML is used as
a bidirectional interface to transfer policies rules between Optim
Designer and Guardium.
Optim Designer can convert data values
for various purposes and through various means. In the core Optim
runtime (z/OS and Distributed) this is achieved through the invocation
of data privacy functions that are declared within column maps. In
Optim Privacy this is specified, by the user, as the application of
a data privacy policy on an attribute, referenced by an entity within
a data access plan.
Customers who bought both products, Optim
Privacy and Guardium, will be able to Export to XACML the policies
and privacy information from one product and Import to the other product.
To
export Guardium policies to XACML follow these steps:
- Click .
- Select Policy from the menu.
- Check the Export to XACML File check box.
- Select definitions from the Definitions to Export menu.
- Click Export.
To Import an XACML file from another Guardium system
or Optim Privacy, open the Definitions Import by clicking .
Importing Groups
When you import a group
that already exists, members may be added, but no members will be
deleted.
Importing Aliases
When you import aliases,
new aliases may be added, but no aliases will be deleted.
Ownership of Imported Definitions
When a
definition is created, the user who creates it is saved as the owner
of that definition. The significance of this is that if no security
roles are assigned to that definition, only the owner and the admin
user have access to it.
When a definition is imported, the owner
is always changed to admin.
Roles for Imported Definitions
References
to security roles are removed from exported definitions. So any imported
definitions will have no roles assigned.
Users for Imported Definitions
A reference
to a user in an exported definition causes the user definition to
be exported. When definitions are imported, the referenced user
definitions are imported only if they do not exist on the importing
system. In other words, existing user definitions are never overwritten.
This has several implications, as described in Duplicate Role and
User Implications.
In addition, imported user definitions
are disabled. This means that imported users can receive email notifications
that are sent from the importing system, but they are not able to
log in to that system, unless and until the administrator enables
that account.
Duplicate Group and User Implications
If
a group that is referenced by an exported definition exists on the
importing system, the definition of that group from the exporting
system will not be not imported. This may create some confusion if
the group is not used for the same purposes on both systems.
If
a user definition exists on the importing system, it may not be for
the same person that is defined on the exporting system. For example,
assume that on the exporting system the user jdoe with the email address
john_doe@aaa.com is a recipient of output from an exported alert.
Assume also that on the importing system, the jdoe user already exists
for a person with the email address jane_doe@zzz.com. The exported
user definition is not imported, and when the imported alert is triggered,
email is sent to the jane_doe@zzz,.com address. In either case, when
security roles or user definitions are not imported, check the definitions
on both systems to see if there are differences. If so, make the appropriate
adjustments to those definitions.
Definition Types for Exporting
Table 1. Definition Types for ExportingCan Be Exported |
Cannot be Exported |
Access Map
|
Baseline or Baseline included in a Policy
|
Alert
|
Custom Alerting Class
A check box in
the Definitions export screen will Exclude group members. See description
in Group line item.
|
Alias
|
Custom Assessment Test
|
Audit Process
|
Custom Identification Procedure
|
Group
|
A check box in the Definitions export screen
will Exclude group members. This check box is visible only for data
sets that have groups somewhere in the export hierarchy (for example,
export of an alert includes also the query of the alert and the query
might include groups in the query conditions). If the export of datasource
does not include groups, the checkbox is not visible. When that checkbox
is set, the export file includes groups (if groups are linked to the
exported definition) but members of the groups are not exported. The
checkbox is not set by default, its state is not persistent, and only
applies to the current export.
|
Named Template
|
|
Period (time period)
|
|
Policy (but not an included Baseline)
|
|
Query
|
|
Report
|
A check box in the Definitions export screen
will Exclude group members. See description in Group line item.
|
Role
|
|
User
|
|
Export Definitions
- Open the Definitions Export pane by clicking .
- Select an option from the menu. The menu will be populated with definitions of the selected
type.
- Select all of the definitions of this type to be exported.
Note: Do
not export a Policy definition whose name contains one or more quote
characters. That definition can be exported, but it cannot be imported.
To export such a definition, make a clone of it, naming the clone
without using any quote characters, and export the clone.
- Click Export. Depending on your browser
security settings, you may receive a warning message asking if you
want to save the file or to open it using an editor.
- Save the exported file in an appropriate location.
Import Definitions
- Open the Definitions Import pane by clicking .
- Click Browse to locate and select the file.
- Click Upload. You are notified when the
operation completes and the definitions contained in the file are
displayed. Repeat to upload additional files.
- Use the Fully synchronize group members checkbox
to set the behavior of how to add new group members imported directly
or via other datasets such as queries or policies. If not checked,
new members that are in the import are added, but members not in the
import are not removed. If checked, then group members not in the
import are removed. Use the Set as default button
next to the checkbox to save the checkbox setting.
- Click Import this set of Definitions to
import a set of definitions, or click Remove this set
of Definitions without Importing to remove the uploaded
file without importing the definitions.
- You will be prompted to confirm either action.
Note: An import
operation does not overwrite an existing definition. If you attempt
to import a definition with the same name as an existing definition,
you are notified that the item was not replaced. If you want to overwrite
an existing definition with an imported one, you must delete the existing
definition before performing the import operation.
Catalog Export
- Open the Catalog Export by clicking .
- Select an option from the menu. The menu will be populated with definitions of the selected
type.
- Select all of the definitions of this type to be exported and
click Export.
Note: Depending on your browser
security settings, you may receive a warning message asking if you
want to save the file or to open it using an editor.
- Save the exported file in an appropriate location.
Catalog Import
- Open the Catalog Import by clicking .
- Click Browse to locate and select the file.
- Click Upload. You are notified when the
operation completes and the definitions contained in the file are
displayed. Repeat to upload additional files.
- Click Import this set of Definitions to
import a set of definitions or click Remove this set of
Definitions without Importing to remove the uploaded file
without importing the definitions.