How to distribute workflow through Guardium groups
Using the receiver group option, define a single Compliance Workflow audit process that will send different results to different Guardium users based on a pre-defined, custom mapping.
Value-added: Setup a single audit process and distribute the appropriate results to the appropriate manager. This saves having to create separate audit processes for separate receivers.
IBM® Guardium®’s Compliance Workflow Automation automatically delivers reports, classification results, and security assessment results to Guardium users on a scheduled basis. Result receivers can be defined as Guardium users, Guardium roles or user groups.
For example, consider a large organization that has fifteen DBA managers that need to review the activities for the DBAs they manage without viewing the activities of the other manager’s DBAs. One solution would be to setup fifteen separate audit processes; one for each manager. This would take a lot of time to configure and it is difficult to manage: Each audit process needs to be scheduled separately and any global change would need to be made individually for all fifteen audit processes.
The user group distribution method, on the other hand, permits the setup of a single audit process and distributes the appropriate results to each manager based on a manager/DBA mapping. This process requires more upfront configuration but reduces to maintenance time. Only one audit process needs to be scheduled and changes only need to be applied in one location.
User mapping
The first step in the process is to map the users to the data elements within Guardium that will be the basis for report distribution. The example that will be used in this document will be based on objects, but you can apply these concepts with any data element within Guardium.
Example: Three users have responsibility over three different sets of tables, based on audit requirements (PCI, HIPPA, and CCI) within a database server, as follows:
User | Table/Object |
---|---|
User01 | db2inst1.cc_numbers |
User01 | db2inst1.ccn |
User02 | db2inst1.ADDRESSES |
User02 | db2inst1.SSN_NUMBERS |
User02 | db2inst1.G_CUSTOMERS |
User02 | db2inst1.G_EMPLOYEES |
User02 | db2inst1.G_FUNDS |
User03 | db2inst1.doctor |
User03 | db2inst1.medicare |
User03 | db2inst1.med_history |
This table must be added as a custom table within Guardium, either manually or through a data upload. The following steps demonstrate how to create a custom table manually. The screenshots are from the “admin” user interface, but they can also be accessed from within the “user” user interface.
-
Navigate to
and press the Manually Define button. -
At the Custom Table Builder screen, define the table layout. Make sure that Group Type matches the correct data element in Guardium. Press Apply and Back when complete.
-
Press Edit Data to manually add the records. Note, if you have a large amount of data, choose Upload Data to import from an external data source.
-
Press Insert.
-
Enter each combination of values and press Insert until you have added all of the required records.
-
When complete, press the Query button to review the data.
-
Press return when complete.
Custom Domains
Next, join this custom table to the Guardium table structure using Custom Domains.
- Navigate to . Highlight [Custom] Accessand press Clone.
-
In the Custom Domain Builder:
-
Highlight the new table created under Available entities.
-
Highlight the table under Domain entities to which you would like to join the custom table.
-
Under Join condition choose the fields on each table on which to create the join and press Add Pair.
-
-
Press the arrows (>>) button to move the custom table from Available entities to Domain entities.
-
Press the Detail button to review the joins.
-
Confirm that the joins are correct and press Close.
-
Press Apply to save the new custom domain.
Custom Report
Next, create a report to distribute to the users.
-
Navigate to Domain drop-down menu.
and select the new domain from the -
Press New.
-
Enter a Query Name and Main Entity and press Next.
-
Create a new report with a run-time parameter for the user field created in the custom table.
User Group
Create a new group of “Guardium Users” based on the custom table.
-
Navigate to
and create a new group with Guardium Users as the Group Type. -
Add all of the users from the custom table.
Audit Process
-
Create a new Audit Process.
-
Choose the group created in User Group as the Receiver
-
Choose the custom report created in step 4 as the task.
-
In the run-time parameter, enter the special tag “./LoggedUser”. This will cause the results to be distributed based on the custom mapping.
-
Press Run Once Now to run the Audit Process
When the audit process completes, each receiver should a different result set based the mapping: