IBM Support

IBM Security Guardium - Query with a condition using GROUP not working correctly

Troubleshooting


Problem

When creating a custom query with a condition on any field it doesn't give the required result when using operator: IN GROUP NOT IN GROUP LIKE GROUP NOT LIKE GROUP

Symptom

1) I want to see a report of traffic with just the following DB Users :-

SYS

SYSAD

ADMIN


I define my reports query to have a condition to show traffic with db users IN a GROUP called "system", where my group "system" contains SYS% and ADMIN%. However the result of my report is empty.


2) I define group "system" with members SYS, SYSAD, ADMIN on my Managed Unit (MU) and the same query used as above but still get the wrong result.

Cause


1) The reason this query does not return the expected results is because using the IN GROUP or NOT IN GROUP operator means the exact group member is evaluated and my group has "%" (the percent sign) as part of its members which is not seen as a wildcard in this case.


2) Group definitions, wherever they are defined, are always stored on the CM straight away and then periodically, as part of the portal user sync, group definitions are synced down to the MU's.

This means group definitions may not be on the MU until a while later, after they are synced down from the MU. So queries using this group will not work correctly until the group has synced to the MU where the reports query is run.

Resolving The Problem

1) Use the following operators when any group member contains a wildcard. :-

LIKE GROUP

or

NOT LIKE GROUP

See Using groups in queries and policies


      LIKE GROUP - If the value is like any member of the selected group, the condition is true. This condition enables wildcard (%) characters in the group member names.


2) Check portal user sync is scheduled to run and wait about 30 mins after it has run for the group to be synced to the MU.

* NOTE

The portal user sync can be run manually as a Run Once Now from the Central Manager as below - you will still need to wait for the units to sync up which can take some minutes.


[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Guardium Database Activity Monitor","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"10.0;10.0.1;10.1;10.1.2;10.1.3;9.0;9.1;9.5","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21989795

Page Feedback