Global profile

The Global Profile page defines defaults that apply to all users.

Getting started with the global profile

To open the Global Profile page, browse to Setup > Tools and Views > Global Profile.

Use the Global Profile page to set defaults for your Guardium® system. You can add your own header and footer to reports, upload your company logo, create a default message template, and much more.
Note: Whenever you change information on the Global Profile, you need to scroll to the end of the page and click Apply for the change to take effect.

Changing settings for aliases and PDFs

You can change the following settings for aliases and PDF footers:

  • Use aliases in reports unless otherwise specified: An alias provides a synonym that substitutes for a stored value of a specific attribute type. Aliases are commonly used to display a meaningful or user-friendly name for a data value. For example, Financial Server might be defined as an alias for IP address 192.168.2.18.

    When selected, Guardium uses available aliases for all reports.

  • PDF footer text: PDF files created by various Guardiumcomponents (such as audit tasks) have a standard page footer. To customize the footer, enter your text into the PDF footer text box. PDF footer text that you define on a central manager or aggregator is not distributed to managed units.

Managing alert message templates

Message templates determine the content of alerts. You can create multiple message templates from the Global Profile, and use them with different rules as needed.
Note: For more information about creating and managing message templates, see The alert message template.
  • Default message template: Displays the default message template for alerts.
  • No wrap: Select to remove word wrap from the message template. Use this feature to see where the line breaks appear in the message.
  • Named template: Click Edit to create new templates and manage or edit existing named templates. For more information, see The alert message template.

Specifying a CSV separator

Specify a CSV separator for all CSV output (such as audit processes):

  • CSV separator: Select Comma, Semicolon, Tab, or click Other to define your own separator.

Adding text to the Guardium window

  • HTML - left and HTML - right: Enter HTML-formatted text to include at the bottom of the Guardium window.

    To verify that your HTML displays as you expect, click Preview.

  • Create a login message and other elements to display when (or before) a user logs in:
    • Show login message: Select to display the login message (or clear to disable the display).
    • Login message: Add a plain text message to display each time that a user logs in.
    • Pre-login message (HTML): Add an HTML-formatted message that displays after a user opens the Guardium window but before they log in.
      Note: If you include an image, the image also displays in the pre-login message. For more information, see Upload logo image.
    • Header and footer banner (HTML): Add HTML-formatted banners to the Guardium login page. By default, the header and footer display at the top and the lower left of the Guardium UI. However, you can use HTML to change the alignment, color, and other elements for your requirements.

Managing other Guardium properties

  • Concurrent login from different IP: By default, the same Guardium user can log in to an appliance from multiple IP addresses. Use this feature to disable concurrent logins from the same user. When disabled, each user can log in from only one IP address at a time. If a user closes their browser without logging out, the connection times out due to inactivity, so the user account is not blocked for long.
    Note: When this feature is enabled, Unlock displays. For support purposes, you can unlock the account to allow a second user to log in with this user account from a different IP address.
  • Data level security filtering: Enable this feature when specific Guardium users are responsible for specific databases. Use data-level filtering to filter results system-wide so that each user can see only the information from databases for which that user is responsible.
    Note: If data level security at the observed data level is enabled, then audit process escalation is allowed only to users at a higher level in the user hierarchy.
  • Default Filtering: If data-level security filtering is enabled, you can set the default filtering options for the logged-in viewer.
    • Show all: The logged-in viewer can see all of the rows in the result regardless of who these rows belong to. When used with the datasec-exempt role, allows an override of the data level security filtering.
    • Include indirect records: The logged-in viewer can see the rows that belong to the logged-in user, and all rows that belong to users in the user hierarchy under the logged-in user.
    Note: The datasec-exempt role is activated when data level security is enabled and the datasec-exempt role is assigned to a user. For more information, see Understanding Roles.
    Restriction: Data Level Security and the Investigation Dashboard cannot be enabled concurrently.
  • Escalate result to all users: When enabled (the default), audit process results (and PDF versions) are escalated to all users, even if data level security at the observed data level is enabled. If not enabled, then audit process escalation is allowed only to users at a higher level in the user hierarchy and to users with the datasec-exempt role. If disabled (cleared), and no user hierarchy is available, then no escalation is allowed.
  • Custom database table maximum size (MB): Set the size of the custom database table (in MB). The Default value is 4000 MB. In addition, click Current Usage to display the current values for InnoDB, MyISAM, and the combined total.
    Note: The custom size limit is tested before data is imported. If a data import exceed the new limit, Guardium prevents the next import.
  • FTP/SCP Ports Export: Change a port to send files over FTP or Secure Copy Protocol (SCP). You can change the ports for export and patch backup. The default port for FTP is 21. The default port for SSH/SCP/SFTP is 22.
    Note: A zero indicates that Guardium uses the default port.
  • Encrypt Must Gather output: Guardium collects certain data (MustGather information) that IBM support uses if something goes wrong. Select to encrypt MustGather output. Clear to compress, but not encrypt the output.

    You can also turn MustGather encryption on and off from the CLI. For more information, see store encrypt_must_gather.

  • Check for Guardium updates: When selected, information about relevant ad hoc Guardium patches, GPUs, CFPs, bundles, Sniffer patches, and security patches display when you click the Messages icon.
    Note: After you install a patch, it is removed from the list.
  • Datasource connection timeout (seconds): Set the datasource connection timeout. The default is 60 seconds.

When you are done making changes, click Apply to save your changes to the global profile.

Uploading a new logo

You can add or delete a graphic on the Guardium window.

  • To delete the current logo, click Delete.
  • To add a file, click Browse to select a file to upload to theGuardium appliance. Then, click Upload.
  • When you refresh your browser window, the new image is scaled to 60 x 54 pixels and displays in the upper right corner of the Guardium UI. If you have a pre-login message, the image also displays in the message.
    Note: The file name cannot include any of the following characters: Single quotation mark ('), double quotation mark ("), less than sign (<), or greater than sign (>).

Managing access by IP address

From a central manager or stand-alone machine, use Manage login access by IP address to limit access to the Guardium UI, CLI (via SSH), or both to specified IP addresses.

To specify IP addresses for an allowlist:
  1. From Manage login access by IP address. click Manage to open Manage login access by IP address.

    From here, you can either add IP addresses one at a time, or click Import from CSV to import a list of IP addresses from a comma-separated value (CSV) file.

  2. To add a single IP address, click the Add icon icon to open the Add IP address to allowlist window.
    1. Enter the IP address (IPv4 or IPv6) you want to include.
    2. Select the login type: GUI, SSH (to log in to the CLI), or GUI and SSH.
    3. Click OK to add the address.
  3. To import a list of address from a CSV file:
    1. Click Browse and select a CSV file that contains the list of IP address to add to the allowlist.
    2. If necessary, set Field delimiter to the separator used in the CSV file. The default is a comma (,).
    3. Click Load to add the values.
    4. Select the column within the file to import.
    5. Select the login type: GUI, SSH (to log in to the CLI), or GUI and SSH.
    6. Click OK to add the addresses.
      Note: To include different addresses for the GUI and SSH allow lists, use separate CSV files.
  4. The addresses that you added display in the IP address table. Select whether to enforce the allowlist for GUI or SSH logins, or both, and then click Save.
Users can now log in only if their IP addresses are in the allowlist.
To manage IP addresses in the allowlist:
  • To disable the allowlist (that is, allow login access for any IP address), clear Enforce allowlist... for either GUI or SSH logins (or both).
  • To remove addresses from the allowlist, select the addresses to delete and click the Delete icon icon.
Note: Be careful not disable access from your current IP address. If you do disable access, you (or someone with access to the GUI) can use the update_ip_restriction_allowlist API to restore access.