Guardium Administration

Guardium® administrators perform various administration and maintenance tasks.

Any user assigned the admin role is referred to as a Guardium administrator. The admin role is distinct from the admin user account. The Guardium Administrator role is accountable for the usage of the admin and CLI IDs in production systems.

Admin role privileges

The Guardium admin role has privileges that are not explicitly assigned to that role. For example, when a user with the admin role displays a list of privacy set definitions, all privacy sets defined on the Guardium system display. The user with the admin role can view, modify, or delete any of those definitions. When a user without the admin role accesses the list of privacy sets, that user sees only the following privacy sets:
  • The privacy sets that they own (that is, that they created).
  • Any privacy sets that are assigned a security role that is also assigned to that user.
.
Note: If you create a new role that is based on the admin role, any user with the new role has access to the same UI as the admin role. However, the role does not automatically grant access to artifacts created by other users.

CLI diag command access

Use of the diag CLI command requires an additional password, which can be the password of any user with the admin role.

If automatic account lockout is enabled (where a user account is locked after a specified number of login failures), the admin user account can be locked after a number of failed login attempts. If that happens, use the unlock admin CLI command to unlock it.

Note: The access manager (accessmgr) can unlock accounts from the User Browser. Open the User Browser by clicking Access > Access Management > User Browser.

Admin user privileges

The admin user has extra privileges that are not granted to the admin role, as follows:

  • Access to all users' to-do lists
  • Owner of imported definitions
  • Access management functions

Admin user To-Do List powers

The To-do List is a workflow automation feature that controls the distribution of audit process results to users. The admin user has special privileges and responsibilities in this area. If a user account is disabled, all audit process results for that user are automatically reassigned to the admin user. If a user is unavailable for any other reason, audit process results are installed in that user's to-do list; that is, awaiting sign-off before they are released to the next results receiver. The admin user can open any user's to-do list, and take any actions that are available to that user. When the admin user performs any actions on another user's to-do list, that fact is noted in the audit process activity log, for example, User admin signed results on behalf of user x.

Imported definition ownership

When definitions are exported, all roles are removed, and the owner is changed to the admin user. This is the only way to control how the definition will be used on the importing system.

Access management and the administrator

For security purposes, a separation of duties exists between the access manager and admin. Admin users cannot have access manager privileges, and vice versa.

The next time the admin user logs in, access manager functionality will be available to them. This is possible for the admin user only (and not for other users that have the admin role).

Note:

The same user can contain both of these roles through a legacy situation or as a result of an upgrade. However, current use does not allow the two roles to be assigned to the same user.

In the past, when a unit was upgraded, the accessmgr role was assigned to the admin user, and the accessmgr user was disabled.

In this situation, to configure the accessmgr and admin, log in as admin and enable the accessmgr user, then log in as accessmgr (the default initial password is guardium), and remove the accessmgr role from the admin user.