Managing users

Use the Access Manager, assigned the username accessmgr to add user accounts, enable or disable user accounts, import members from LDAP, or edit user permissions. Open the User Browser and browse the user accounts by clicking Access > Access Management > User Browser

Defining and modifying users involves deciding both who can use the Guardium® system and in which roles. A group of users can all have the same role and the same access privileges if you so choose. For more information about roles, see Understanding Roles.

You can import user definitions from an LDAP server, on demand, or on a schedule.

Regardless of how users are defined to the Guardium system, the Guardium administrator can configure the system to authenticate users by using Guardium, LDAP, or Radius.

When you get started with your Guardium system, an important early task is to identify which groups of users will use the system, along with each set of user's functions. For example, an information security group might use Guardium for alerting and troubleshooting purposes while a database administrator group might use Guardium for reporting and monitoring. As you decide who can access the Guardium system, keep in mind that sensitive company data can be picked up by the system. Therefore, you need to be aware of who can access that data.

After you decide which groups of users will use the Guardium system (and for what purpose), collect the following information for each user:

  • User's first and last name
  • User account name (the name they use to log in)
  • User's email address
  • User's country or location
  • User's function or role with Guardium

User account security

Guardium provides a number of default settings to simplify the user creation process. Several settings can be changed to provide extra security for user accounts. You can enable or disable these settings by using the show and store password CLI commands. For more information, see User Account, Password and Authentication CLI Commands. Defaults are set for the following settings:

  • Password validation is enabled, which means that a minimum of 8 characters is required, and the password must contain at least one character from each of the following categories:
    Note: If password validation is disabled, any characters are allowed.
  • Password expiration is enabled. Passwords can be configured to expire after a designated number of days.
  • Account lockout that follows a specified number of failed login attempts is enabled. You can configure lockouts to occur after a fixed number of attempts in a specified time, or after a total number of attempts for the life of the account.

Unlocking locked accounts

  1. From the User Browser, click Edit for the user you want to unlock.
  2. Clear the Disabled checkbox
  3. Click Update User to save changes.

If an admin or accessmgr user account is locked, an admin can unlock it with the unlock admin or unlock accessmgr CLI command. For more information, see User account, password, and authentication CLI commands).

Creating a user account

  1. From the User Browser click Add User to open the User Form page.
  2. Enter a unique name for User name. Do not include apostrophe characters in the name. User names are not case-sensitive.
    Note: When you add a user manually, from either the Add User page or User LDAP Import, if no first name or last name is specified, the login name is used.

    Non-Latin characters, such as Chinese or Japanese, are not supported in the username.

  3. If smart card authentication is enabled, enter the Smart card user name.
    Tip: The smart card user name is the Common Name (CN) in the Guardium system's certificate.
  4. Enter a password and confirm it again in the Password (confirm) box. The password that you assign is temporary, and the user must change it following their first login.
    Passwords are case-sensitive. When password validation is enabled (the default), the password must be 8 or more characters in length, and must include at least one character from each of the following categories:
  5. Enter the user's first and last name in the respective fields.
    Note: To assign a user the investigator role, the last name must be INV_1, INV_2, or INV_3. While the UI does not stop you from entering a different last name, the application works properly only with these names. Furthermore, you cannot assign an investigator to any additional roles; they can be only inv. The inv role is the only case where a user or admin role is not required.
  6. Optionally, enter the following information:
    • The user's email address.
    • Select the user's country or region from the menu.
    • Select Password never expires to remove password expiration. The default expiration is 90 days. Keep in mind that forcing users to change their passwords is a security feature.
  7. When ready, clear the Disabled checkbox to enable access to Guardium for this user.
    Note: Disabled is selected by default. Guardium suggests that you do not clear the checkbox and enable the account until after you assign the correct set of roles for the user.
  8. Click Add User to save the new user account definition and close the page.

    Guardium suggests that you assign all roles before you enable users so that the user has all components in their layout the first time they log in. When a user logs in for the first time, their layout is built by using all of the roles that are currently assigned. If roles are added later, the user has access to everything available to that role, but must add reports or applications particular to that role manually.

The user definition is now complete. Guardium suggests that you add the appropriate roles for the user before you inform them of their password for the initial login. For more information, see Understanding Roles.

For more information on adding a user by using an API command, see Create user.

Enabling or disabling multiple users

Open the User Browser and click Search Users to filter users by role. When you select a user, you can enable or disable the user. Because users are disabled by default, this menu can be useful to change the status of multiple users.

Note: Guardium includes the default Guardium CLI accounts, guardcli1 through guardcli9, that are enabled by default. You can disable one or more of the default users from the User Browser or by using the store guarduser_state CLI command.

Be sure to leave at least one guardcli account enabled to allow users to log in to the GuardAPI.

For more information about using the guardclin accounts, see Authenticating GuardAPI commands with set guiuser.

Updating a user account

  1. From the User Browser, click Edit for the user you want to modify.
  2. Replace any values in the User Form page.
  3. Click Update User to save changes.
Note: If you change a user's password, the user must change it again after their next login.

Enabling a disabled user account

  1. From the User Browser, click Edit for the user you want to enable.
  2. Clear the Disabled checkbox.
  3. If the user forgets their password, enter a new password in both the Password and Password (confirm) boxes.
  4. Click Update User.

Removing a user account

  1. From the User Browser, click Delete for the user you want to remove.
  2. Click Confirm Deletion.
Note: Alerts that were sent to the deleted user are now sent to the admin; however, this change does not take effect until the access policy is reinstalled.

Defining the data security user hierarchy

  1. Browse to Data Security > User Hierarchy.
  2. Select a user from the User menu to refresh the screen and display the selected user's current hierarchy in the user page.
  3. Right-click a user node for the following options:
    • Click Add User to display the Add User dialog. Search or filter by role, and add a user as a descendant of the selected user.

      Defining a hierarchy can create a measure of data-level security, by allowing the parent in a hierarchy to look at specified servers and databases, but not the children in the hierarchy. Depending on the configuration, inheritance can also take place in that the parent inherits the data-level security of the child.

      Note: Many-to-many relationships are allowed where a user might have more than one parent and a parent might have more than one user.
    • Unlink User from parent - Sever the descendant's relationship from the parent
    • Remove all descendants - Sever the relationship for all descendants from the parent
  4. Click Refresh Cached Hierarchy to apply the recent changes to the user hierarchy map.
  5. Click Update Active User-DB Map to apply all recent changes to the active User-DB association map.
    Note: Guardium suggests that you run Update Active User-DB Map after you change the User Hierarchy.

    When you change a hierarchy or to a database association, this change does not take effect automatically. The Periodic Update does not pick up the change, unless it is the first time the Periodic Update runs. For the changes to take effect, run Update Active User-DB Map.

    The user hierarchy is not automatically updated. To update it, run Update Active User-DB Map. The update compares all IP addresses or Service Names to the existing hierarchy and associations to determine who has access to what.

    A periodic update of the user hierarchy runs automatically every 10 minutes and cannot be run manually. The periodic update is incremental, meaning that it looks only at server IP addresses or Service Names that were added since the last time the periodic update ran. It compares the existing hierarchy and associations against the new IP addresses or Service Names and determines which users can access these IP addresses or Service Names.

Defining the data security user-database association

Use the Data Security User-DB Association to find, assign, or remove users from available servers and service names (databases).

  1. Open the User-DB Association window by browsing to Data Security > User-DB Association.
  2. Select the checkboxes of the Server & Service Name Suggestion to find databases and service names to associate to users. Choices include:
    • Observed Accesses - Observed traffic from Guardium internal database table GDM_Access
    • Datasource Definitions - Existing datasource definition information such as name, database type, authentication information, and location of datasource.
    • S-TAP® Definitions - Existing S-TAP definition information such as the IP address of the database server and the IP address of the Guardium host that receives data from S-TAP.
    • Auto-Discovered Hosts - Hosts discovered by the Guardium Auto-discovery process that were not previously known. You can configure the Guardium Auto-discovery application to probe the network, searching for and reporting on all databases discovered.
    • Guardium Install Manager (GIM)-Discovered Systems - Hosts that are discovered by the GIM that are not previously known.
  3. Click Go to find and display available servers, service names, and currently associated users.
    Note: When Guardium traverses the node tree, numerical indicators are displayed next to each server and service name to provide a count of direct and descendant associated users. The indicators take the format of [nn] for direct association and (mm) for descendant association (for example, when a server or service name within the current server has an associated user). Likewise, when you view users that are associated to a server or service name, if a user is associated to a larger level node in the tree, that user displays.
  4. Click a server or service name node to display associated users. With any node selected, you can do one of the following tasks:
    • Click Add User to add a user-DB association, click any users that you want to add, and then click Add.
    • Click Add Group to add a group-DB association. When Add Group is selected, groups that are created by using the Group Builder for group type Guardium Users display. Select the group you'd like to add and click Add.
  5. Right-click any server or service name node to select one of the following tasks:
    • Highlight the server.
    • Expand or collapse the server.
    • Find a server.
    • Add server, service name, or unnamed service.
    • Delete the server.
  6. Add an IP address or IP/Service Name pair in the IP and Service Name fields.
    Note: Use Find to search the IP/Service Name tree structure. You can enter partial IP strings or include the asterisk wildcard (*) so that, for example, 192.168 and 192.168.*.* are both valid. Numeric values cannot trail the use of any wildcard or be used with the wildcard to form an octet. Service Name names can include the wildcard % anywhere within their name.
  7. Click Update Active User-DB Map to apply all recent changes to the active User-DB association map.
    Note: Guardium suggests that you run Update Active User-DB Map after you change the User-DB Association.

    The user hierarchy is not automatically updated. To update it, run Update Active User-DB Map. The update compares all IP addresses or Service Names to the existing hierarchy and associations to determine who has access to what.

    A periodic update of the user hierarchy runs automatically every 10 minutes and cannot be run manually. The periodic update is incremental, meaning that it looks only at new server IP addresses or Service Names that were added since the last time the periodic update ran. The periodic update compares the existing hierarchy and associations against the new IP addresses or Service Names and determines which users can access these IP addresses or Service Names.

    When you change a database association, this change does not take effect automatically. The periodic update does not pick up the change, unless it is the first time the periodic update runs. Otherwise, for the change to take effect, click Update Active User-DB Map.

Managing smart card authentication

When smart card authentication is enabled, admin and access managers can log into the Guardium system without using a smart card. For more information, see store system admin-only.

The Smart card user name is an editable field in the Guardium Portal UI that is manually populated by admins or access managers when new users are created. To authenticate a user, the Guardium system attempts to match the information on the smart card with either the User name field or the Smart card user name field.

If you upgraded your Guardium system from a previous version that did not include the Smart card user name field, the system authenticates by using the User name.

In the event that the Smart card user name is not populated but the User name is matched, the system automatically copies the value in the User name field to the Smart card user name field.

If the common name on the Guardium system's certificate is changed, the admin or access manager can manually edit the Smart card user name to match the common name. The system can then authenticate by using the Smart card user name even if the User name no longer matches.

During LDAP import, all users are imported with their existing user names. Admins or access managers can then manually add the valid common name in the certificate as the Smart card user name for authenticating by using smart cards without losing any related settings.