Entitlement Optimization Recommendations
Recommendations pinpoint specific actions that aim to minimize user access to only that which is required.
Data is presented in the tab from the first Sunday after you enabled the feature.
The system is continuously evaluating users and privileges. The weekly Entitlement recommendations report is based on the last 3 weeks of data (by default), such that each new report overlaps with data of the previous report. The Recommendations tab is equivalent to the Recommendations report in “Reports”, which can be enabled as a distributed report.
If you customized the userScope parameter, the recommendations only include users from the specified user groups. The userScope and objectScope parameters are used in order to explicitly define the scope of recommendations. In order to maximize the accuracy of recommendations regarding users and objects, the users and objects in the specified groups should have Full Audit.
All recommendations must be thoroughly investigated by the admin, by drilling-down for specific server, database, object, and recommendation type, before implementation.
The top of the tab contains a pie graph that shows the recommendations by type. The table at the bottom of the window lists the recommendations. You can modify the recommendations report using the standard reports icons, export the report by clicking Export, and map to API by clicking Actions.
The recommendations types are:
Type | String | Details |
---|---|---|
ANOMAL USER | User {object} has anomal activity within role {source} | User activity count within a specific role is anomalous. This means the user is either much more active or much less active than other users. |
ALERT ACTIVITY (Ad-hoc user) | User {source} used the privilege {verb}-{object} but no entitlement was found | A typical ad hoc user gives itself permission, performs an action, and then removes the permission. Users can be erroneously identified as ad hoc due to the time differences between the entitlement changes and their activities. Use the Guardium Activity Monitoring Tools to determine whether or not the privilege is justified. |
DORMANT_USER | Remove inactive or empty user{object} | User has no assigned privilege or had no activity within the given interval. |
DORMANT_ROLE | Remove inactive or empty role{role} | No users, no activity by any users, or empty privileges |
REVOKE_FROM_USER | Revoke{verb}-{object} from user {source} | User did not performed any activity on the relevant object, verb. |
REVOKE _FROM_ROLE | Revoke{verb}-{object} from role {source} | ALL the users within the specific role didn't perform any activity on object, verb. |
REMOVE_FROM_ROLE | Remove user{object} from role{source} | User didn't use any of the privileges granted to him by the role. |
INACTIVE DATABASE | Database has no activity | If the unused database cannot be justified, remove it. |