Transform actions
- TRANSFORM ANALYZED CLIENT IP (TRANSFORM_ANALYZED_CLIENT_IP)
- TRANSFORM APP USER NAME (TRANSFORM_APP_USER)
- TRANSFORM CLIENT HOST NAME (TRANSFORM_CLIENT_HOST_NAME)
- TRANSFORM CLIENT OS NAME (TRANSFORM_CLIENT_OS_NAME)
- TRANSFORM DB NAME (TRANSFORM_DB_NAME)
- TRANSFORM DB USER (TRANSFORM_DB_USER)
- TRANSFORM OS USER (TRANSFORM_OS_USER)
- TRANSFORM SERVER DESCRIPTION (TRANSFORM_SERVER_DESC)
- TRANSFORM SERVER HOST NAME (TRANSFORM_SERVER_HOST_NAME)
- TRANSFORM SERVER OS NAME (TRANSFORM_SERVER_OS_NAME)
- TRANSFORM SERVICE NAME (TRANSFORM_SERVICE_NAME)
- TRANSFORM SOURCE PROGRAM NAME (TRANSFORM_SOURCE_PROGRAM)
- TRANSFORM STATEMENT (TRANSFORM_STATEMENT)
Transform action examples in the UI
For an example of how to use the TRANSFORM ANALYZED CLIENT IP action, see Hostname caching example.
For an example of how to use the TRANSFORM DB NAME action, see Add DB name on failed login example.
For some examples of how to use the TRANSFORM STATEMENT action, see Query masking examples.
For more information about creating session level policies in the UI, see Understanding the UI examples.
Transform action examples using the advanced session-level policy language
TRANSFORM_SERVER_DESC SEARCH_PREFIX = 'SERVER_DESCRIPTION:guardium://empty' OUTPUT_FORMAT = 'IBM VM'SEARCH_PREFIX = 'DB_USER:SCOTT'
SEARCH_PATTERN = 'OS_USER:ORACLE19'
MATCH_PATTERN = 'SOURCE_PROGRAM:/(\w+)/(.*)'SEARCH_PREFIX = '$(NOT)$:STATEMENT:grant' - means any not "GRANT ..." statement.
SEARCH_PREFIX = '$(NOT)$:OS_USER:?' - empty OS user.
TRANSFORM_DB_USER SEARCH_PREFIX = '$(NOT)$:$(DB_USER)$' SOURCE = OS_USER OUTPUT_FORMAT = '$(SOURCE_PROGRAM)$\(.*)'
Initial GDM_ACCESS record:
DB_USER = *scott*. |OS_USER = oracle19 | SOURCE_PROGRAM = sqlplus
Transform result in GDM_ACCESS table:
DB_USER = sqlplus\oracle19 | OS_USER = oracle19 | SOURCE_PROGRAM = sqlplus
Case 1:
#
Special handling for TRANSFORM actions:
According to EX. 1 CLIENT_HOST_NAME should be transformed into IP address and copied to ANALYZED_CLIENT_IP field, but in addition it is possible to check and do it only if analyzed client IP is empty:
TRANSFORM_ANALYZED_CLIENT_IP SEARCH_PREFIX = '$(NOT)$:ANALYZED_CLIENT_IP:?' SOURCE = CLEINT_HOST_NAME OUTPUT_FORMAT = '(.*)'
Case 2:
TRANSFORM_DB_USER WHERE OUTPUT_FORMAT = '<some string>' # copies <some string> into DB_USER, if DB_USER is empty (not copies if DB_USER is not empty)
Case 3:
TRANSFORM_DB_USER WHERE SEARCH_PREFIX = '?' OUTPUT_FORMAT = '<some string>' # copies <some string> into DB_USER, if DB_USER is not empty (not copies if DB_USER is empty)’
Now it is possible to transform to some value to empty. For that in any transform action it is possible to put SEARCH_PREFIX = '?' and OUTPUT_FORMAT as 'guardium://empty'
Specific behaviors for search parameters with transform actions
Transform actions using certain search parameters may have specific behavior, as illustrated by the following examples.
TRANSFORM_DB_USER WHERE SOURCE = OS_USER OUTPUT_FORMAT = '(.*)'TRANSFORM_ANALYZED_CLIENT_IP SEARCH_PREFIX = '$(NOT)$:ANALYZED_CLIENT_IP:?' SOURCE = CLEINT_HOST_NAME OUTPUT_FORMAT = '(.*)'TRANSFORM_DB_USER WHERE OUTPUT_FORMAT = '<some string>'TRANSFORM_DB_USER WHERE SEARCH_PREFIX = '?' OUTPUT_FORMAT = '<some string>'TRANSFORM_DB_USER WHERE SEARCH_PREFIX = '?' OUTPUT_FORMAT = 'guardium://empty'