Guardium Policy Rule Fires on Empty Group

Resolving The Problem

This is currently the designed behavior, but some administrators expect an empty group would return FALSE and are confused by the policy rules firing.

This case does not have a straightforward answer. For example, if a rule has a DB_USER group condition, it should return false unless the DB_USER is explicitly listed in the group. You might expect an empty group would always return FALSE. But you could also view an empty group as just a placeholder, and if there are several conditions on the rule you want the empty group to return TRUE so the rule will be able to fire if the other conditions are true. This is further complicated by the NOT checkbox. Should the behavior of an empty group be reversed when NOT is selected?

Currently the preferred solution is to avoid using empty groups in policy rules.

Note that if you remove the group name and leave the condition blank, that condition will always return TRUE. If you want the rule to return FALSE until the group is properly populated you must enter a dummy value into the group so that it is not empty. Use a value that can never match in your environment.

A limited code change was introduced in v10 p4018 and later sniffer patches which causes empty tuple groups to always return FALSE. This patch can be applied to any v10 prior to GPU 200. The same fix will be included with GPU 200 and up. The overall behavior and user experience surrounding these cases is being re-evaluated in v10.5.