[Guardium] Alert for records affected threshold arises even when the records count is less than the threshold value

Question & Answer

Question

You defined the Records Affected Threshold value in a policy rule. However a thresold alert arose even when the affected records number was less than the threshold value. Why does an alert arise even when the records count is less than the threshold value?"

Cause

The appliance keeps the total record count per session. It resets the count every time the rule fires, but carries over residual counts. So an alert arises when the residual count + new records number exceeds the threshold value.

Answer

This is expected behaviour. The appliance keeps a total count of records affected per construct, per session. The rule fires and resets every time it fires, but carries over residual counts.

Assume you have set the records Affected Threshold value to 500 in a policy rule, and run the following queries. .

SELECT * FROM xxx WHERE ROWNUM <= 600

The rule will fire for the 500th record, but the remaining 100 will carry over to the next count. So if you now run

SELECT * FROM xxx WHERE ROWNUM <= 400

the rule would indeed fire again because 100+400=500.

The idea here is to prevent the user from selecting a large number of rows in small increments, thereby circumventing the alert rule.

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Guardium Data-Level Access Control","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"8.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

[Guardium] Alert for records affected threshold arises even when the records count is less than the threshold value

Question & Answer

Question

Cause

Answer

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?