IBM Support

How to create a (custom) computed attribute that shows if a Guardium GUI user is enabled or disabled?

How To


Summary

IBM Security Guardium™ version 10.5 and earlier does not come by default with a predefined attribute to show if a graphical user interface (GUI) user account is enabled or disabled when querying or auditing this information from the Guardium™ system by using a report.

Nonetheless, you can use a custom (computed) attribute to make that information available for reporting.

Objective

Understand with a practical example how to implement Computed Attributes in Guardium™.
A Computed (sometimes also named "custom") attribute is a calculated value derived from relating and operating with other Data Attributes from those available in Guardium™, in order to create a new one.

Environment

The information in this document was generated while working in an IBM Security Guardium™ v10.5 appliance.
 
The process should remain the same from v10.5 and earlier versions.
As of version 10.6 and newer, there is an attribute named "Status" already included by default. It shows the status of a user account, so it should not be necessary to create another one.

Steps

Note 1. In an IBM Security Guardium™ Managed Environment (also known as Federated Environment), you must perform this process at the Central Manager appliance.
1. Login to the command-line interface (CLI) of the intended IBM Security Guardium™ appliance by using the cli account .
2. Execute the "grdapi create_computed_attribute" CLI command as follows.
grdapi create_computed_attribute attributeLabel="<new_attribute_name>" entityLabel="User" expression="CASE DISABLED WHEN 'F' THEN 'NO' WHEN 'T' THEN 'YES' ELSE 'UNKNOWN' END"
Where:
<new_attribute_name>. Must be replaced with the name that will be assigned to the new attribute. This is how it will be displayed in the graphical user interface.
Example:
grdapi create_computed_attribute attributeLabel="USER_DISABLED?" entityLabel="User" expression="CASE DISABLED WHEN 'F' THEN 'NO' WHEN 'T' THEN 'YES' ELSE 'UNKNOWN' END"
image
Note 2. The new attribute will be created under the "User" Guardium™ Data Entity given the other related attributes from where it derives.
Tip 1: You can play with the attribute name and the expression to match your needs.
The expression in the example is nothing but a CASE SQL statement that operates over a boolean column.
It is 'F' WHEN a user is ENABLED (NOT DISABLED) and a 'T' WHEN is DISABLED.
Note 3. While the process documented works in any version of the product, starting IBM Security Guardium™ v10.6, under the "User/Role/Application" Domain, the "User" Entity already contains an Attribute named "Status" for this same purpose, so you should not need to create a computed attribute.
image 8313
Expected outcome:
By using the GUI to build a report based on the "User" Entity, which is part of the "User/Role/Application" Domain, the created attribute can be selected and added as a column that will be displayed in the output of the report.
image-20180903114120-12

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m0z0000001errAAA","label":"GRDAPI"},{"code":"a8m0z0000000AqcAAE","label":"GUI"},{"code":"a8m0z0000001erNAAQ","label":"REPORTS"}],"ARM Case Number":"","Platform":[{"code":"PF004","label":"Appliance"}],"Version":"10.0.0;10.0.1;10.1.0;10.1.2;10.1.3;10.1.4;10.5.0"}]

Document Information

Modified date:
23 February 2022

UID

ibm16414543

Page Feedback