Database entitlements

You can use database entitlements to verify that users have access only to the appropriate data. Your Guardium® system includes predefined database entitlements for multiple datasource types.

Note: Database entitlements are optional components that are enabled by a product key. If these components have not been enabled, the following entitlement reports do not appear in the Custom Domain Builder, Custom Query-Report Builder, and Custom Table Builder selections.

They appear as domain names in the Custom Domain Builder, Custom Query-Report Builder, and Custom Table Builder selections.

The domains are provided to facilitate uploading and reporting on the different entitlements. Each of the following domains has a single entity (with the same name), and there is a predefined report for each domain. As with other predefined entities and reports, these cannot be modified, but you can clone and then customize your own versions of any of these domains or reports.

For entitlements to upload data from various datasources, the login that is used for database access must have read permissions for the tables that are used in the query, which is restricted for all entitlements.

See also Entitlement Optimization.

The predefined entitlements for the different datasource types are listed in the following sections:

Amazon Redshift entitlements

  • Amazon Redshift database privileges granted to public
  • Amazon Redshift database privileges granted to user
  • Amazon Redshift database privileges granted with grant option
  • Amazon Redshift object privileges granted to public
  • Amazon Redshift object privileges granted to user
  • Amazon Redshift object privileges granted with grant option
  • Amazon Redshift Super User
  • Amazon Redshift Super User Amazon Redshift users in group

Apache Cassandra entitlements

  • Apache Cassandra database object privileges granted to grantee
  • Apache Cassandra role granted to user role
  • Apache Cassandra roles granted with AUTHORIZE permission
  • Apache Cassandra SuperUser role

Azure SQL entitlements

  • Azure SQL database accounts with db_owner and db_security admin role
  • Azure SQL database object and column privileges granted with grant option
  • Azure SQL database role granted to user and role
  • Azure SQL database object privileges granted to PUBLIC
  • Azure SQL database privileges on system procedures/functions granted to PUBLIC
  • Azure SQL database object privileges granted to user and role
  • Azure SQL database role/system privileges granted to user and role

CockroachDB entitlements

12.1 and later The following entitlements are applicable for Guardium version 12.1 and later.

  • CockroachDB create privilege granted to user or role
  • CockroachDB privileges granted with grant option
  • CockroachDB Super User granted to user or role
  • CockroachDB system privileges granted to user or role
  • CockroachDB privileges granted to grantee (pre CockroachDB version 24.1)
    Restriction: This entitlement is applicable for database versions earlier than 24.1.
  • CockroachDB privileges granted to grantee (CockroachDB version 24.1 and later)

DataStax Cassandra entitlements

  • DataStax Cassandra database object privileges granted to grantee
  • DataStax Cassandra object privileges granted with grant option
  • DataStax Cassandra role granted to user role
  • DataStax Cassandra SuperUser role

Db2® for i 6.1 and 7.1 entitlements

For the entitlement to work, use the script gdmmonitor-db2-IBMi.sql to detail the minimal privileges required in the database table (or view of the database table).

  • Object privileges granted to grantee (Object type: Schema, Table, View, Package, Routine, sequence, column, global variable, and XML schema)
  • Object privileges granted to grantee with grant option (Object type: Schema, Table, View, Package, Routine, sequence, column, global variable, and XML schema)
  • Object privileges granted to public (Object type: Schema, Table, View, Package, Routine, sequence, column, global variable, and XML schema)
  • Executable object privileges granted to public (Object type: package and Routine)
  • Group granted to user
  • Special Authorities privileges granted to grantee

All the object privileges exclude default system schemas from a predefined Guardium group called DB2 for i exclude system schemas - entitlement report. Add the privileges to this group for schema that needs to be excluded.

Db2 entitlements

  • DB2® column-level privileges (SELECT, UPDATE, ETC.)
  • DB2 database-level privileges (CONNECT, CREATE, ETC.)
  • DB2 index-level privilege (CONTROL)
  • DB2 package-level privileges (on code packages – BIND, EXECUTE, ETC.)
  • DB2 routine dependencies
  • DB2 table-level privileges (SELECT, UPDATE, ETC.) DB2 privilege summary
  • DB2 table view dependencies
  • DB2 trigger dependencies
The following list (with comment line heading) details the minimal privileges required in the database table (or view of the database table) for the entitlement to work.
/* Select privilege to these tables/views is required */
GRANT SELECT ON SYSCAT.COLAUTH TO SQLGUARD;
GRANT SELECT ON SYSCAT.DBAUTH TO SQLGUARD;
GRANT SELECT ON SYSCAT.INDEXAUTH TO SQLGUARD;
GRANT SELECT ON SYSCAT.PACKAGEAUTH TO SQLGUARD;
GRANT SELECT ON SYSCAT.DBAUTH TO SQLGUARD;
GRANT SELECT ON SYSCAT.TABAUTH TO SQLGUARD;
GRANT SELECT ON SYSCAT.SCHEMAAUTH TO SQLGUARD;
GRANT SELECT ON SYSCAT.PASSTHRUAUTH TO SQLGUARD;

DB2 z/OS entitlements

  • DB2 zOS zSecure: database privileges granted to grantee
  • DB2 zOS zSecure: database privileges granted to public
  • DB2 zOS zSecure: groups granted to user
  • DB2 zOS zSecure: JAR file resource privileges granted to grantee
  • DB2 zOS zSecure: package privileges granted to grantee
  • DB2 zOS zSecure: package privileges granted to public
  • DB2 zOS zSecure: plan privileges granted to grantee
  • DB2 zOS zSecure: plan privileges granted to public
  • DB2 zOS zSecure: routine privileges granted to grantee
  • DB2 zOS zSecure: routine privileges granted to public
  • DB2 zOS zSecure: sequence privileges granted to grantee
  • DB2 zOS zSecure: storage resource privileges granted to grantee
  • DB2 zOS zSecure: system privileges granted to grantee
  • DB2 zOS zSecure: system privileges granted to public
  • DB2 zOS zSecure: table and view privileges granted to grantee
  • DB2 zOS zSecure: table and view privileges granted to public
  • DB2 zOS zSecure: tablespace resource privileges granted to grantee
  • DB2 zOS database privileges granted to grantee
  • DB2 zOS database privileges granted to public
  • DB2 zOS database privileges granted with grant
  • DB2 zOS database resource granted to grantee
  • DB2 zOS database resource granted to public
  • DB2 zOS enabled trusted context for connections
  • DB2 zOS database resource granted with grant
  • DB2 zOS executable object privileges granted to public
  • DB2 zOS object privileges granted to grantee
  • DB2 zOS object privileges granted to public
  • DB2 zOS object privileges granted with grant
  • DB2 zOS schema privileges granted to grantee -V8 Only
  • DB2 zOS schema privileges granted to grantee -V9 Up
  • DB2 zOS schema privileges granted to public
  • DB2 zOS schema privileges granted with grant - V8 Only
  • DB2 zOS schema privileges granted with grant - V9 Up
  • DB2 zOS sytem privileges granted to grantee - V10 Up
  • DB2 zOS system privileges granted to grantee - V8
  • DB2 zOS system privileges granted to grantee - V9
  • DB2 zOS system privileges granted to public -V10 Up
  • DB2 zOS system privileges granted to public - V8
  • DB2 zOS system privileges granted to public - V9
  • DB2 zOS system privileges granted with grant -V10 Up
  • DB2 zOS system privileges granted with grant -V8
  • DB2 zOS system privileges granted with grant -V9

Informix entitlements

  • Informix® account with DBA Privilege
  • Informix execute privilege on Informix procedure and function granted to public
  • Informix object and columns privileges granted with grant option
  • Informix object dependencies
  • Informix object grant to public
  • Informix object privileges by database account not including system account and roles
  • Informix role granted to user and role
  • Informix system privileges and role granted to user
  • Informix system privileges and role granted to user and role

MariaDB entitlements

  • MariaDB database privileges
  • MariaDB host privileges
  • MariaDB table privileges
  • MariaDB user privileges

Microsoft SQL Server 2000 entitlements

  • MSSQL2000 object privilege by database account not including default system user
  • MSSQL2000 role/system privileges granted to user including grant option
  • MSSQL2000 role/system privileges granted to user and role including grant option
  • MSSQL2000 object access by publci
  • MSSQL2000 execute privilege on system procedures and functions to public
  • MSSQL2000 database accounts with db_owner and db_security admin role
  • MSSQL2000 server account with sysadmin, server admin, and security admin.
    Remember: Run this entitlement only against the master database.
  • MSSQL2000 object and columns privileges granted with grant option
  • MSSQL2000 role granted to user and role
The following list (with comment line heading) details the minimal privileges required in the database table (or view of the database table) for the entitlement to work.
* Select privilege to these tables/views is required */
/* This entitlement is required on MASTER database */
grant select on dbo.syslogins to sqlguard
 
/*These entitlements are required on every database including MASTER */
grant select on dbo.sysprotects to sqlguard
grant select on dbo.sysusers to sqlguard
grant select on dbo.sysobjects to sqlguard
grant select on dbo.sysmembers to sqlguard

If a datasource has an MSSQL database type, but does not have a database name, then the uploading data loops through all MSSQL databases the user has access to.

Microsoft SQL Server 2005 and later entitlements

Note: Objects used in dynamic query strings such as those in EXECUTE IMMEDIATE SQL called by a stored program unit are not displayed in xxx_DEPENDENCIES. This query excludes schema owners that are defined in group ID 202 "Dependencies_exclude_schema-MSSQL". The user can add or subtract schema name from this group for the dependencies query.
  • Microsoft SQL server object privileges by database account not including default system user
  • Microsoft SQL server role/system privileges granted to user
  • Microsoft SQL server role/system privilege granted to user and role including grant option
  • Microsoft SQL server object access by public
  • Microsoft SQL server object dependencies
  • Microsoft SQL server execute privilege on system procedures and functions to public
  • Microsoft SQL server database accounts of db_owner and db_securityadmin role
  • Microsoft SQL server account with sysadmin, server admin, and security admin.
    Remember: Run this entitlement only against the master database.
  • Microsoft SQL server object and columns privileges granted with grant option
  • Microsoft SQL server role granted to user and role
  • MSSQL2005/8 object privileges by database account not including default system user
  • MSSQL2005/8 role/system privileges granted to user
  • MSSQL2005/8 role/system privilege granted to user and role including grant option
  • MSSQL2005/8 object access by public
  • MSSQL2005/8 execute privilege on system procedures and functions to public
  • MSSQL2005/8 database accounts of db_owner and db_security admin role
  • MSSQL2000 server account with sysadmin, server admin, and security admin.
    Remember: Run this entitlement only against the master database.
  • MSSQL2005/8 object and columns privileges granted with grant option
  • MSSQL2005/8 role granted to user and role
The following list (with comment line heading) details the minimal privileges required, in the database table (or view of the database table), for the entitlement to work.
/* Select privilege to these tables/views is required */ 
/*This entitlement is required on MASTER database */
grant select on sys.server_principals to sqlguard
 
/*These entitlements are required on every databases including MASTER */
grant select on sys.database_permissions to sqlguard
grant select on sys.database_principals to sqlguard
grant select on sys.all_objects to sqlguard
grant select on sys.database_role_members to sqlguard
grant select on sys.columns to sqlguard

If a datasource has an MSSQL database type, but does not have a database name, then the uploading data loops through all MSSQL databases the user has access to.

MySQL entitlements

  • MYSQL database privileges 40
  • MYSQL user privileges 40
  • MYSQL host privileges 40
  • MYSQL Table Privileges 40
  • MYSQL database privileges 5.7/up
  • MYSQL user privileges 5.7/up
  • MYSQL host privileges 5.7/up
  • MYSQL table privileges 5.7/up
  • MYSQL database privileges 500
  • MYSQL user privileges 500
  • MYSQL host privileges 500
  • MYSQL table privileges 500
  • MYSQL database privileges 502
  • MYSQL user privileges 502
  • MYSQL host privileges 502
  • MYSQL table privileges 502

The entitlement queries for all MySQL versions through MySQL 5.0.1 use this set of tables: mysql.db mysql.host mysql.tables_priv mysql.user

For MySQL 5.0.2 and later versions, the entitlement queries use the follwoing set of tables: information_schema.SCHEMA_PRIVILEGES mysql.host information_schema.TABLE_PRIVILEGES information_schema.USER_PRIVILEGES.

Neo4j entitlements

  • Neo4j roles granted to users
  • Neo4j privileges for built-in roles
  • Neo4j privileges for user roles (excluding built-in roles)
  • Neo4j privileges denied to user roles

Netezza entitlements

Note: Netezza® does not support DB error text translation. The error appears in the exception description. Users can clone a report, add a report, or do both with the exception description for Netezza as needed.

The entitlements along with the description are listed as follows:

  • Netezza object privileges by db username - Object privileges with or without grant option by database username excluding admin account.
  • Netezza admin privileges by db username - Admin privileges with or without grant option by database username excluding admin account.
  • Netezza group /role granted to user - Group (role) granted to user.
  • Netezza object privileges by group - Object privileges with or without grant option by group excluding public.
  • Netezza admin privileges by group - Admin privileges with or without grant option by group excluding public.
  • Netezza admin privileges by db username, group - Admin privileges with or without grant option by database username, group excluding admin account and public group.
  • Netezza object privileges granted - Object privileges granted with or without grant option to public.
  • Netezza admin privileges granted - Admin privileges granted with or without grant option to public.
  • Netezza global admin privileges to users and groups - Global admin privilege granted to users and groups excluding admin account.
  • Netezza global object privileges to users and groups - Global object privilege granted to users and groups excluding admin account.

Oracle entitlements

The entitlements along with the description are listed as follows:

  • ORA accounts of ALTER SYSTEM - Accounts with ALTER SYSTEM and ALTER SESSION privileges
  • ORA accounts with BECOME USER - Accounts with BECOME USER privileges
  • ORA all system privileges and admin option - Report showing all system privilege and admin option for users and roles
  • ORA object and columns privileges - Object and columns privileges granted (with or without grant option)
  • ORA object access by public - Object access by PUBLIC
  • ORA object dependencies
  • ORA object privileges - Object privileges by database account not in the SYS and not a DBA role
  • ORA public execute privilege on system procedure - Execute privilege on SYS PL/SQL procedures assigned to PUBL
  • ORA roles granted - Roles granted to users and roles
  • ORA system privileges granted - Hierarchical report that shows system privilege granted to users including recursive definitions (that is, privileges assigned to roles and then these roles assigned to users)
  • ORA SYSDBA and SYSOPER accounts - Accounts with SYSDBA and SYSOPER privileges
The following list (with comment line heading) details the minimal privileges required, in the database table (or view of the database table), for the entitlement to work. 
/* Select privilege to these tables/views is required */
grant select on sys.dba_tab_privs to sqlguard;
grant select on sys.dba_roles to sqlguard;
grant select on sys.dba_users to sqlguard;
grant select on sys.dba_role_privs to sqlguard;
grant select on sys.dba_sys_privs to sqlguard;
grant select on sys.obj$ to sqlguard;
grant select on sys.user$ to sqlguard;
grant select on sys.objauth$ to sqlguard;
grant select on sys.table_privilege_map to sqlguard;
grant select on sys.dba_objects to sqlguard;
grant select on sys.v_$pwfile_users to sqlguard;
grant select on sys.dba_col_privs to sqlguard;

Percona MySQL entitlements

  • Percona MySQL database privileges
  • Percona MySQL host privileges
  • Percona MySQL table privileges
  • Percona MySQL user privileges

PostgreSQL and EDB PostgreSQL entitlements

The entitlements along with the description are listed as follows:

  • PostgreSQL privileges on databases granted to public user role with or without granted option. Run this entitlement on any database, ideally PostgreSQL.
  • PostgreSQL privileges on language granted to public user role with or without granted option. Run this entitlement per database.
  • PostgreSQL privileges on schema granted to public user role with or without granted option. Run this entitlement per database.
  • PostgreSQL privileges on tablespace granted to public user Role with or without granted option. Run this entitlement on any database, ideally PostgreSQL.
  • PostgreSQL role or user granted to user or role (9.4 and below. For PostgreSQL DB only). Run this entitlement once in any database, ideally PostgreSQL.
  • PostgreSQL role or user granted to user or role (9.5 and above). Run this entitlement once in any database, ideally PostgreSQL.
  • PostgreSQL super user granted to user or role. Run this entitlement once in any database, ideally PostgreSQL.
  • PostgreSQL system privileges granted to user and role. Run this entitlement once in any database, ideally PostgreSQL.
  • PostgreSQL table view sequence and function privileges granted to public. Run this entitlement per database
  • PostgreSQL table view sequence and function privileges granted with grant option. Exclude PostgreSQL account.
  • PostgreSQL table view sequence function privileges granted to roles. Not including the public. Run this entitlement per database.
  • PostgreSQL table views sequence and functions privileges granted to login. Not including Postgre system user. Run this entitlement per database.

SAP HANA entitlements

  • SAP HANA Analytical privileges granted to grantee
  • SAP HANA application privilege granted to grantee
  • SAP HANA database object privilege granted to grantee
  • SAP HANA execute objects privilege granted to public
  • SAP HANA object privilege granted to grantee with grant option
  • SAP HANA object privileges granted to public
  • SAP HANA role granted to grantee
  • SAP HANA system privileges granted to grantee

Use the script gdmmonitor-SAP-Hana.sql to detail the minimal privileges required, in the database table (or view of the database table), for the entitlement to work.

For more information on running a database entitlement report, see Running database entitlement reports.

Snowflake entitlements

  • Snowflake effective role hierarchy for each user
  • Snowflake objects privilege granted with grant option
  • Snowflake privileges for each user role
  • Snowflake roles granted to users
  • Snowflake user-role hierarchy path

Sybase entitlements

  • Sybase accounts with system or security admin roles
  • Sybase system privilege and roles granted to user including grant option
  • Sybase execute privilege on procedure, function assigned to public
  • Sybase object and columns privilege granted with grant option
  • Sybase object access by public
  • Sybase object dependencies
  • Sybase object privileges by database account
  • Sybase role granted to user
  • Sybase role granted to user and system privileges granted to user and role including grant option
The following list (with comment line heading) details the minimal privileges required, in the database table (or view of the database table), for the entitlement to work.
/* Select privilege to these tables/views is required */
/* These entitlements are required on MASTER database */
grant select on master.dbo.sysloginroles to sqlguard
grant select on master.dbo.syslogins to sqlguard
grant select on master.dbo.syssrvroles to sqlguard
 
/*These entitlementsare required on every database, including MASTER */
grant select on sysprotects to sqlguard
grant select on sysusers to sqlguard
grant select on sysobjects to sqlguard
grant select on sysroles to sqlguard

If a datasource has a Sybase database type, but does not have a database name, then the uploading data loops through all MSSQL databases the user has access to.

Sybase IQ entitlements

Supported version is Sybase IQ 15 and later.

Remember: In the following entitlements list, object includes table, views, procedure, and functions.
  • Sybase IQ execute privileges on procedure function to public
  • Sybase IQ group granted to user and group
  • Sybase IQ login policy for user group with login
  • Sybase IQ object access by public
  • Sybase IQ object dependencies
  • Sybase IQ object privileges by database user
  • Sybase IQ object privileges by group
  • Sybase IQ system authority and group granted to user and group
  • Sybase IQ system authority and group granted to user
  • Sybase IQ table view privileges granted with grant
    Note: This entitlement is the only grant option type that is allowed in Sybase IQ. Routines cannot be granted with grant option.
  • Sybase IQ user group with dba permissions admin etc

The following custom table definitions are created to upload data.

  • Sybase IQ object privileges by database user
  • Sybase IQ object privileges by group
  • Sybase IQ system authority and group granted to user
  • Sybase IQ system authority and group granted to user and group
  • Sybase IQ object access by public
  • Sybase IQ exec privileges on procedure function to public
  • Sybase IQ user group with dba perms admin etc
  • Sybase IQ table view privileges granted with grant
  • Sybase IQ group granted to user and group
  • Sybase IQ login policy for user group with login

You can use GuardAPI to add a datasource to Sybase IQ reports. For information, see

Teradata entitlements

  • Teradata execute privileges on system database objects to public.
  • Teradata object privileges by database account not including default system users.
  • Teradata object privileges granted with granted option to users. This entitlement does not include DBC and grantee = All.
  • Teradata objects and system privileges granted to public.
    Restriction: Role cannot be granted to the public in Teradata.
  • Teradata roles granted to users and roles including grant option.
  • Teradata system privileges and roles granted
  • Teradata system privileges granted to users and roles including grant option.
  • Teradata system admin and security admin privileges granted to user and role.
    Remember: A System or security admin role does not exist in Teradata. User must create their own roles. Some important system privileges that are normally not granted to normal user are: ABORT SESSION, CREATE DATABASE, CREATE PROFILE, CREATE ROLE, CREATE USER, DROP DATABASE, DROP PROFILE, DROP ROLE, DROP USER, MONITOR RESOURCE, MONITOR SESSION, REPLICATION OVERRIDE, SET SESSION RATE, SET RESOURCE RATE.
The following list (with comment line heading) details the minimal privileges required, in the database table (or view of the database table), for the entitlement to work.
/* Select privilege to these tables/views is required */
GRANT SELECT ON DBC.AllRights TO sqlguard;
GRANT SELECT ON DBC.Tables TO sqlguard;
GRANT SELECT ON DBC.AllRoleRights TO sqlguard;
GRANT SELECT ON DBC.RoleMembers TO sqlguard;