Exporting and importing definitions
Use export and import definitions if you have multiple systems with identical or similar requirements and are not using central management. You can define the components that you need on one system and export those definitions to other systems that are on the same software release level.
You can export one type of definition (reports, for example) at a time. Each element that you export can cause other referenced definitions to be exported as well. For example, a report is always based on a query, and it can also reference other items, such as IP address groups or time periods. All referenced definitions (except for security roles) are exported along with the report definition. However, only one copy of a definition is exported if that definition is referenced in multiple exported items. An export of policies or queries exports only the groups that are referenced by the exported policies or queries.
Using export and import definitions
UseDefinitions export to save and share defined functional values such as reports and queries, CAS data, or classifier data. The export types are saved as .sql files.
You can import the exported definitions onto servers that use the same Guardium Software version. In general, if you export definitions from a Guardium V10 system, then you can import those definitions only onto another V10 system.
You can export data marts and reports from an earlier version and import to a later version. For example, you can export definitions from a Guardium V10 system and import the definitions onto a V11 system. However, you cannot export from a later version to an earlier version.
Export definitions rules
When you export definitions, Guardium cannot export the following elements:
- For graphical reports, the presentation parameter settings (such as colors, fonts, or titles) are not exported. When imported, these reports use the default presentation parameter settings for the importing system.
- Subscribed groups are not exported. When you export definitions that reference subscribed groups, make sure that all referenced subscribed groups are installed on the importing appliance (or the central manager in a centrally managed environment).
- Comments are not exported.
- When you export a data source with an open source driver, the open source driver is not included in the export. Upload the open source driver into the new system before you import the data source definition that was created by using it. If the open source driver is not available during the import, Guardium substitutes the data direct driver.
- When you export the definition of classifier policies, any custom evaluation classes that are associated with the policies are not exported with the definition. For the imported policies to work, upload the custom evaluation classes separately.
In addition, be aware of the following rules before you export definitions.
- You cannot import or export definitions between different languages. For example, if you export a file from a Simplified Chinese Guardium® system, you cannot import the file to a system where the language is set to English.
- Definitions export and import logs have the same retention period as the monitored database activity logs.
- When you export audit process definitions of scheduled runs (including schedule time) to another system, the Active checkbox in Audit Process Builder is never checked.
- For Schedule start time of an audit process that is defined on one appliance and exported to another (unrelated) appliance; if the original schedule start time is defined, it is retained. If the original schedule start time is not defined (empty), then the imported schedule start time is set to the time it was imported.
- Large complex imports can take a long time and can exceed the length of the user's session. If the session times out, the import continues to run in the background until it completes.
Import definitions rules
- When you import an existing group, members can be added, but members are not deleted.
- When you import aliases, new aliases can be added, but aliases are not deleted.
- When a definition is created, the user who creates it is saved as the owner of that definition. Therefore, if no security roles are assigned to that definition, only the owner and the admin user have access to it.
- When you import a definition, the owner is always changed to admin.
- References to security roles are removed from exported definitions. Therefore, any imported definitions do not have assigned roles.
- A reference to a user in an exported definition causes the user definition to be exported. When
definitions are imported, the referenced user definitions are imported only if they do not exist on
the importing system. In other words, existing user definitions are never overwritten. The
implications are described in Duplicate Group and User Implications.
In addition, imported user definitions are disabled. Imported users can receive email notifications that are sent from the importing system, but they cannot log in to that system, unless and until the administrator enables that account.
Duplicate Group and User Implications
If a group that is referenced by an exported definition exists on the importing system, the definition of the exported group is not imported. If the group is not used for the same purposes on both systems, this might create some confusion.
If a user definition exists on the importing system, it might not be for the same person that is defined on the exporting system. For example, assume that on the exporting system the user jdoe with the email address john_doe@example.com is a recipient of output from an exported alert. Assume also that on the importing system, the jdoe user exists for a person with the email address jane_doe@sample.com. The exported user definition is not imported, and when the imported alert is triggered, email is sent to jdoe at jane_doe@sample.com. In either case, when security roles or user definitions are not imported, check the definitions on both systems to see whether differences exist. If so, make the appropriate adjustments to those definitions.
Definition Types for Exporting
Can export | Cannot export |
---|---|
Alert | Custom Alerting Class For alerts, you can choose to exclude group members. For more information, see the description under Group. |
Alias | Custom Assessment Test |
Audit process | Custom Identification Procedure |
Auto-discovery process | |
AWS Secrets Manager configuration | |
CAS hosts | |
CAS template Sets | |
Classification process | Access Rule |
Classifier policy | |
Cloud service account | |
Compound attribute | |
Configuration profile | |
Custom class connection permission | |
Custom domain | |
Custom table | |
CyberArk configuration | |
Dashboard | |
Data classifier | |
Datamart | |
Datasource | |
Datasource custom field | |
Datasource group | |
Discover sensitive data | |
Distributed reports | |
Event type | |
External feed | |
External ticket configuration | |
Group | The Exclude group members option displays for data sets that have groups somewhere in the export hierarchy (for example, exporting an alert includes the alert query, and the query might include groups in the query conditions). If the export does not include groups, the Exclude group members option does not display. When the option is set, the export file includes groups (if groups are linked to the exported definition) but members of the groups are not exported. The option is not set by default. In addition, the state is not persistent and it applies only to the current export. |
HashiCorp configuration | |
IMS definition | |
Investigation dashboard | |
Kerberos configuration | |
LDAP user import config | Passwords |
Named template | |
Period (time period) | |
Policy (but not an included baseline) | |
Privacy set | |
Query | |
Query rewrite definition | |
Replay | |
Report | For reports, you can choose to exclude group members. For more information, see the description under Group. |
Role | |
Security assessment | |
Security assessment with no datasources | For security assessments with no datasources, you can choose to exclude group members. For more information, see the description under Group. |
User | |
Users database mapping | |
Users database permission | |
Users hierarchy |
Exporting definitions
- Go to Definitions Export page opens. . The
- Select an option from the menu. The menu populates with definitions of the selected type.
- Select all of the definitions of this type to be exported.
- Click Export. Depending on your browser security settings, you might receive a warning message that asks if you want to save the file or to open it using an editor.
- Save the exported file in an appropriate location.
Importing definitions
- Go to Definitions Import page opens. . The
- Click Browse to locate and select the file.
- Click Upload. You are notified when the operation completes and the definitions that are contained in the file are displayed. Repeat to upload additional files.
- Use the Fully synchronize group members checkbox to set the behavior of how to add new group members imported directly or via other data sets such as queries or policies. If not checked, new members that are in the import are added, but members not in the import are not removed. If checked, then group members not in the import are removed. Use the Set as default button next to the checkbox to save the checkbox setting.
- Click Import this set of Definitions to import a set of definitions, or click Remove this set of Definitions without Importing to remove the uploaded file without importing the definitions.
- You are prompted to confirm either action. Note: An import operation does not overwrite an existing definition. If you attempt to import a definition with the same name as an existing definition, you are notified that the item was not replaced. If you want to overwrite an existing definition with an imported one, you must delete the existing definition before performing the import operation.
Exporting to XACML Protocol
Guardium supports export of Policy Rules to a XACML file, and import of XACML files to another Guardium system.
The XACML (eXtensible Access Control Markup Language) is a declarative access control policy language that is implemented in XML and a processing model, describing how to interpret the policies.
- Click .
- Select Policy from the menu.
- Check the Export to XACML File check box.
- Select definitions from the Definitions to Export menu.
- Click Export.
To Import an XACML file from another Guardium system, open the Definitions Import by clicking
.