Groups overview
Group similar data objects together and use them in creating query, policy, and classification definitions. Use one of the many predefined groups, or create your own group by using the Group Builder.
Groups are practical to use in many places. By grouping similar data objects, you can use the whole set of objects in policies, classifications, queries, and reports, rather than having to select multiple data objects individually.
If you need to change a query or policy, rather than applying those changes to each individual object, you can apply those changes to the group.
S-TAPs and GIM also use groups to make it easier to roll out updates across managed servers.
Group Builder
Use the Group Builder to create a new group or modify an existing group from the user interface.
To open the Group Builder, click .
Use the Group Filter screen to sort through groups based on application type, group type, description, or category.
Types of groups
Tuple groups
A tuple group allows multiple attributes to be combined together to form a single composite group member. Tuples can help simplify specifying conditions for reporting and policy rules. Three of an ordered set of values are called 3-tuple. An n-tuple is one with an n-set of value attributes.
- Tuple groups - Object/Command, Object/Field, Client IP/DB User, Server IP/DB User
- 3-tuple groups - Client IP/Source Program/DB User, DB User/Object/Privilege
- 5-tuple group - Client IP/Source Program/DB User/Server IP/Service Instance
- 7-tuple group - Client IP/Src App/DB User/Server IP/Svc. Name/OS User/DB Name
Predefined groups
Guardium includes a number of predefined groups. Use the Group Filter and menu to browse the list of groups and find the one that best suits your needs.
Group types DB User and DB Password are by default only available to admin users. Modify the group roles if you want to change this default setting.
Overlapping group memberships
Groups members can be in more than one group.
For example, two predefined groups, Create Commands and DDL Commands, both have members that are named CREATE TABLE. If you query for either of these groups, all of the CREATE TABLE members from the reporting period are counted in that group.
In some cases, you might want to define a set of groups so that each member belongs to only one group. For example, suppose that for reporting purposes you need to group database users into 1 of two groups: employees or consultants. You can define each of those groups with the same subgroup type (Employee-Status, for example). When subgroups are used, you cannot add a member to a subgroup if that member was already added to another group with the same subgroup type.
Wildcards in members
Group members can include wildcard (%) characters for when the group is used in a query condition or policy rule.
Member | Matches | Does not match |
---|---|---|
aaa% | aaa, aaazzz | zzzaaa, aaz |
%bbb | bbb, zzbbb | bb, bbbzzz |
%ccc% | ccc, ccczz, zzzccczzz | cc, zzzcczzz |
Wildcards for security assessment test exceptions
To create a wildcard search within groups for security assessment test exceptions, preface the member name with (R). You can then create a regular expression search for the group by using period (.) and asterisk (*) operators to match exactly one character (.) or zero or more characters (*).
Member | Matches | Does not match |
---|---|---|
(R)aaa | aaa, zzaaa, aaazz | Aaa, zzaba |
(R)aaa* | aaa, aaazzz | zzzaaa, aaz, AAA |
(R)*bbb | bbb, zzbbb | bb, bbbzzz, Bbb |
(R)*c.c* | cbc, ccc, _c3c123 | cc, _CAC123 |
Managed Unit Groups
Managed unit groups and the groups that are created through the group builder that used for grouping elements are distinct. Groups that are created through the group builder help simplify creating and managing policies and clarifying the presentation of reports. For more information about managed unit groups, see Creating managed unit groups.