Distributing workflow through Guardium groups

Using the receiver group option, define a single Compliance Workflow audit process that sends different results to different Guardium users based on a pre-defined, custom mapping.

About this task

Setup a single audit process and distribute the appropriate results to the appropriate manager. This process saves time as you do not have to create separate audit processes for separate receivers.

IBM® Guardium®’s Compliance Workflow Automation automatically delivers reports, classification results, and security assessment results to Guardium users on a scheduled basis. Result receivers can be defined as Guardium users, Guardium roles, or user groups.

For example, consider a large organization that has fifteen DBA managers. These managers need to review the activities for the DBAs they manage and not view the activities of the other manager’s DBAs. One solution is to setup fifteen separate audit processes; one for each manager. This solution takes time to configure and it is difficult to manage. Each audit process needs to be scheduled separately and any global change needs to be made individually for all fifteen audit processes.

However, you can use the user group distribution method to set up a single audit process and distributes the appropriate results to each manager based on a manager mapping or DBA mapping. This process requires more upfront configuration but reduces to maintenance time. Only one audit process needs to be scheduled and changes need to be only applied in one location.

You need to map users to the data elements within Guardium that forms the basis for report distribution. The example that is used in this document is based on objects, but you can apply these concepts with any data element within Guardium.

For example, three users have responsibility over three different sets of tables based on audit requirements (PCI, HIPPA, and CCI) within a database server, as follows:

Table 1. User with Table or Object
User Table or Object
User01 db2inst1.cc_numbers
User01 db2inst1.ccn
User02 db2inst1.ADDRESSES
User02 db2inst1.SSN_NUMBERS
User02 db2inst1.G_CUSTOMERS
User02 db2inst1.G_EMPLOYEES
User02 db2inst1.G_FUNDS
User03 db2inst1.doctor
User03 db2inst1.medicare
User03 db2inst1.med_history

This table must be added as a custom table within Guardium, either manually or through a data upload. The following steps demonstrate how to create a custom table manually.

Procedure

  1. Click Reports > Report Configuration Tools > Custom Table Builder. Then, click Manually Define.
  2. In the Custom Table Builder window, define the table layout. Make sure that Group Type matches the correct data element in Guardium. Click Apply.
  3. Click Edit Data to manually add the records and then click Insert.
    Tip: If you have a large amount of data, choose Upload Data to import from an external data source.
  4. Enter each combination of values and click Insert until you have added all the required records.
  5. Join this custom table to the Guardium table structure by using Custom Domains as follows
    1. Click Reports > Report Configuration Tools > Custom Table Builder, and from the Domain Finder list, select [Custom] Access and click Clone.
    2. In the Custom Table Builder window, select the custom table that you created from the Available entities list and then select the table to which you want to join the custom table from the Domain entities list.
    3. Under Join condition select the fields from each table to create the join and press Add Pair.
    4. Select the arrow to move the custom table from Available entities to Domain entities.
      Tip: Click Detail to review the joins and confirm that the joins are correct. Then click Close.
    5. Click Apply to save the new custom domain.
  6. Create a report to distribute to the users as follows
    1. Click Reports > Report Configuration Tools > Report Builder and select the new domain from the Domain list.
    2. Click New and provide the query details and then click Next.
    3. Create a report with a runtime parameter for the user field that you created in the custom table.
  7. Create a group of Guardium Users based on the custom table as follows
    1. Click Setup > Tools and Views > Group Builder and create a new group with the Group Type as Guardium Users.
    2. Add all users from the custom table.

What to do next

You can create a new audit process. For the audit process, select the group that you created in User Group as the Receiver and the custom report that you created as the task. In the runtime parameter, enter the special tag “./Logged User” to distribute the results based on the custom mapping. Then click Run Once Now to run the audit process.