Exporting and importing definitions

Use export and import definitions if you have multiple systems with identical or similar requirements and are not using central management. You can define the components that you need on one system and export those definitions to other systems that are on the same software release level.

You can export one type of definition (reports, for example) at a time. Each element that you export can cause other referenced definitions to be exported as well. For example, a report is always based on a query, and it can also reference other items, such as IP address groups or time periods. All referenced definitions (except for security roles) are exported along with the report definition. However, only one copy of a definition is exported if that definition is referenced in multiple exported items. An export of policies or queries exports only the groups that are referenced by the exported policies or queries.

Using export and import definitions

Use Definitions export and Definitions import to save and then restore functional data from a specific Guardium system. For example, you can create a report on one Guardium system and then import that same report onto another server (of the same Guardium installed version).
Note: The export and import function is not the same as a full backup of the server. Be sure that you still define and run backups on a scheduled or manual basis.

UseDefinitions export to save and share defined functional values such as reports and queries, CAS data, or classifier data. The export types are saved as .sql files.

You can import the exported definitions onto servers that use the same Guardium Software version. In general, if you export definitions from a Guardium V10 system, then you can import those definitions only onto another V10 system.

You can export data marts and reports from an earlier version and import to a later version. For example, you can export definitions from a Guardium V10 system and import the definitions onto a V11 system. However, you cannot export from a later version to an earlier version.

Export definitions rules

When you export definitions, Guardium cannot export the following elements:

  • For graphical reports, the presentation parameter settings (such as colors, fonts, or titles) are not exported. When imported, these reports use the default presentation parameter settings for the importing system.
  • Subscribed groups are not exported. When you export definitions that reference subscribed groups, make sure that all referenced subscribed groups are installed on the importing appliance (or the central manager in a centrally managed environment).
  • Comments are not exported.
  • When you export a data source with an open source driver, the open source driver is not included in the export. Upload the open source driver into the new system before you import the data source definition that was created by using it. If the open source driver is not available during the import, Guardium substitutes the data direct driver.
  • When you export the definition of classifier policies, any custom evaluation classes that are associated with the policies are not exported with the definition. For the imported policies to work, upload the custom evaluation classes separately.

In addition, be aware of the following rules before you export definitions.

  • You cannot import or export definitions between different languages. For example, if you export a file from a Simplified Chinese Guardium® system, you cannot import the file to a system where the language is set to English.
  • Definitions export and import logs have the same retention period as the monitored database activity logs.
  • When you export audit process definitions of scheduled runs (including schedule time) to another system, the Active checkbox in Audit Process Builder is never checked.
  • For Schedule start time of an audit process that is defined on one appliance and exported to another (unrelated) appliance; if the original schedule start time is defined, it is retained. If the original schedule start time is not defined (empty), then the imported schedule start time is set to the time it was imported.
  • Large complex imports can take a long time and can exceed the length of the user's session. If the session times out, the import continues to run in the background until it completes.

Import definitions rules

Before you import definitions, make sure you understand the following rules.
  • When you import an existing group, members can be added, but members are not deleted.
  • When you import aliases, new aliases can be added, but aliases are not deleted.
  • When a definition is created, the user who creates it is saved as the owner of that definition. Therefore, if no security roles are assigned to that definition, only the owner and the admin user have access to it.
  • When you import a definition, the owner is always changed to admin.
  • References to security roles are removed from exported definitions. Therefore, any imported definitions do not have assigned roles.
  • A reference to a user in an exported definition causes the user definition to be exported. When definitions are imported, the referenced user definitions are imported only if they do not exist on the importing system. In other words, existing user definitions are never overwritten. The implications are described in Duplicate Group and User Implications.

    In addition, imported user definitions are disabled. Imported users can receive email notifications that are sent from the importing system, but they cannot log in to that system, unless and until the administrator enables that account.

Duplicate Group and User Implications

If a group that is referenced by an exported definition exists on the importing system, the definition of the exported group is not imported. If the group is not used for the same purposes on both systems, this might create some confusion.

If a user definition exists on the importing system, it might not be for the same person that is defined on the exporting system. For example, assume that on the exporting system the user jdoe with the email address john_doe@example.com is a recipient of output from an exported alert. Assume also that on the importing system, the jdoe user exists for a person with the email address jane_doe@sample.com. The exported user definition is not imported, and when the imported alert is triggered, email is sent to jdoe at jane_doe@sample.com. In either case, when security roles or user definitions are not imported, check the definitions on both systems to see whether differences exist. If so, make the appropriate adjustments to those definitions.

Definition Types for Exporting

Table 1. Definition Types for Exporting
Can export Cannot export
Alert Custom Alerting Class
For alerts, you can choose to exclude group members. For more information, see the description under Group.
Alias Custom Assessment Test
Audit process Custom Identification Procedure
Auto-discovery process  
AWS Secrets Manager configuration  
CAS hosts  
CAS template Sets  
Classification process Access Rule
Classifier policy  
Cloud service account  
Compound attribute  
Configuration profile  
Custom class connection permission  
Custom domain  
Custom table  
CyberArk configuration  
Dashboard  
Data classifier  
Datamart  
Datasource  
Datasource custom field  
Datasource group  
Discover sensitive data  
Distributed reports  
Event type  
External feed  
External ticket configuration  
Group The Exclude group members option displays for data sets that have groups somewhere in the export hierarchy (for example, exporting an alert includes the alert query, and the query might include groups in the query conditions). If the export does not include groups, the Exclude group members option does not display. When the option is set, the export file includes groups (if groups are linked to the exported definition) but members of the groups are not exported. The option is not set by default. In addition, the state is not persistent and it applies only to the current export.
HashiCorp configuration  
IMS definition  
Investigation dashboard  
Kerberos configuration  
LDAP user import config Passwords
Named template  
Period (time period)  
Policy (but not an included baseline)  
Privacy set  
Query  
Query rewrite definition  
Replay  
Report For reports, you can choose to exclude group members. For more information, see the description under Group.
Role  
Security assessment  
Security assessment with no datasources For security assessments with no datasources, you can choose to exclude group members. For more information, see the description under Group.
User  
Users database mapping  
Users database permission  
Users hierarchy  

Exporting definitions

  1. Go to Manage > Data Management > Definitions Export. The Definitions Export page opens.
  2. Select an option from the Type menu. The Definitions to Export menu populates with definitions of the selected type.
  3. Select all of the definitions of this type to be exported.
  4. Click Export. Depending on your browser security settings, you might receive a warning message that asks if you want to save the file or to open it using an editor.
  5. Save the exported file in an appropriate location.

Importing definitions

  1. Go to Manage > Data Management > Definitions Import. The Definitions Import page opens.
  2. Click Browse to locate and select the file.
  3. Click Upload. You are notified when the operation completes and the definitions that are contained in the file are displayed. Repeat to upload additional files.
  4. Use the Fully synchronize group members checkbox to set the behavior of how to add new group members imported directly or via other data sets such as queries or policies. If not checked, new members that are in the import are added, but members not in the import are not removed. If checked, then group members not in the import are removed. Use the Set as default button next to the checkbox to save the checkbox setting.
  5. Click Import this set of Definitions to import a set of definitions, or click Remove this set of Definitions without Importing to remove the uploaded file without importing the definitions.
  6. You are prompted to confirm either action.
    Note: An import operation does not overwrite an existing definition. If you attempt to import a definition with the same name as an existing definition, you are notified that the item was not replaced. If you want to overwrite an existing definition with an imported one, you must delete the existing definition before performing the import operation.

Exporting to XACML Protocol

Guardium supports export of Policy Rules to a XACML file, and import of XACML files to another Guardium system.

The XACML (eXtensible Access Control Markup Language) is a declarative access control policy language that is implemented in XML and a processing model, describing how to interpret the policies.

Note: XACML imports from previous versions of Guardium are not supported.
To export Guardium policies to XACML, follow these steps:
  1. Click Manage > Data Management > Export.
  2. Select Policy from the Type menu.
  3. Check the Export to XACML File check box.
  4. Select definitions from the Definitions to Export menu.
  5. Click Export.

To Import an XACML file from another Guardium system, open the Definitions Import by clicking Manage > Data Management > Import.