Global profile
The Global Profile page defines defaults that apply to all users.
Getting started with the global profile
To open the Global Profile page, browse to .
Changing settings for aliases and PDFs
You can change the following settings for aliases and PDF footers:
- Use aliases in reports unless otherwise specified: An alias provides a
synonym that substitutes for a stored value of a specific attribute type. Aliases are commonly used
to display a meaningful or user-friendly name for a data value. For example, Financial Server might
be defined as an alias for IP address 192.168.2.18.
When selected, Guardium uses available aliases for all reports.
- PDF footer text: PDF files created by various Guardiumcomponents (such as audit tasks) have a standard page footer. To customize the footer, enter your text into the PDF footer text box. PDF footer text that you define on a central manager or aggregator is not distributed to managed units.
Managing alert message templates
- Default message template: Displays the default message template for alerts.
- No wrap: Select to remove word wrap from the message template. Use this feature to see where the line breaks appear in the message.
- Named template: Click Edit to create new templates and manage or edit existing named templates. For more information, see The alert message template.
Specifying a CSV separator
Specify a CSV separator for all CSV output (such as audit processes):
- CSV separator: Select Comma, Semicolon, Tab, or click Other to define your own separator.
Adding text to the Guardium window
- HTML - left and HTML - right: Enter HTML-formatted
text to include at the bottom of the Guardium
window.
To verify that your HTML displays as you expect, click .
- Create a login message and other elements to display when (or before) a user logs in:
- Show login message: Select to display the login message (or clear to disable the display).
- Login message: Add a plain text message to display each time that a user logs in.
- Pre-login message (HTML): Add an HTML-formatted message that displays
after a user opens the Guardium
window but before they log in.Note: If you include an image, the image also displays in the pre-login message. For more information, see Upload logo image.
- Header and footer banner (HTML): Add HTML-formatted banners to the Guardium login page. By default, the header and footer display at the top and the lower left of the Guardium UI. However, you can use HTML to change the alignment, color, and other elements for your requirements.
Managing other Guardium properties
- Concurrent login from different IP: By default, the same Guardium user
can log in to an appliance from multiple IP addresses. Use this feature to disable concurrent logins
from the same user. When disabled, each user can log in from only one IP address at a time. If a
user closes their browser without logging out, the connection times out due to inactivity, so the
user account is not blocked for long. Note: When this feature is enabled, Unlock displays. For support purposes, you can unlock the account to allow a second user to log in with this user account from a different IP address.
- Data level security filtering: Enable
this feature when specific Guardium users
are responsible for specific databases. Use data-level filtering to filter results system-wide so
that each user can see only the information from databases for which that user is responsible.
Note: If data level security at the observed data level is enabled, then audit process escalation is allowed only to users at a higher level in the user hierarchy.
- Default Filtering: If data-level security filtering is enabled, you can
set the default filtering options for the logged-in viewer.
- Show all: The logged-in viewer can see all of the rows in the result regardless of who these rows belong to. When used with the datasec-exempt role, allows an override of the data level security filtering.
- Include indirect records: The logged-in viewer can see the rows that belong to the logged-in user, and all rows that belong to users in the user hierarchy under the logged-in user.
Note: The datasec-exempt role is activated when data level security is enabled and the datasec-exempt role is assigned to a user. For more information, see Understanding Roles.Restriction: Data Level Security and the Investigation Dashboard cannot be enabled concurrently.
- Escalate result to all users: When enabled (the default), audit process results (and PDF versions) are escalated to all users, even if data level security at the observed data level is enabled. If not enabled, then audit process escalation is allowed only to users at a higher level in the user hierarchy and to users with the datasec-exempt role. If disabled (cleared), and no user hierarchy is available, then no escalation is allowed.
- Custom database table maximum size (MB): Set the size of the custom
database table (in MB). The Default value is 4000 MB. In addition, click Current
Usage to display the current values for InnoDB, MyISAM, and the combined total.
Note: The custom size limit is tested before data is imported. If a data import exceed the new limit, Guardium prevents the next import.
- FTP/SCP Ports Export: Change a port to send files over FTP or Secure Copy
Protocol (SCP). You can change the ports for export and patch backup. The default port for FTP is
21. The default port for SSH/SCP/SFTP is 22. Note: A zero indicates that Guardium uses the default port.
- Encrypt Must Gather output: Guardium
collects certain data (MustGather information) that IBM support uses if something goes wrong. Select
to encrypt MustGather output. Clear to compress, but not encrypt the output.
You can also turn MustGather encryption on and off from the CLI. For more information, see store encrypt_must_gather.
- Check for Guardium updates: When selected, information about relevant ad
hoc Guardium patches, GPUs, CFPs, bundles, Sniffer patches, and security patches display when you
click the
icon.Note: After you install a patch, it is removed from the list.
- Datasource connection timeout (seconds): Set the datasource connection timeout. The default is 60 seconds.
When you are done making changes, click Apply to save your changes to the global profile.
Uploading a new logo
You can add or delete a graphic on the Guardium window.
- To delete the current logo, click Delete.
- To add a file, click Browse to select a file to upload to theGuardium appliance. Then, click Upload.
- When you refresh your browser window, the new image is scaled to 60 x 54 pixels and displays in
the upper right corner of the Guardium UI. If you have a pre-login message, the image also displays
in the message.Note: The file name cannot include any of the following characters: Single quotation mark ('), double quotation mark ("), less than sign (<), or greater than sign (>).
Managing access by IP address
From a central manager or stand-alone machine, use Manage login access by IP address to limit access to the Guardium UI, CLI (via SSH), or both to specified IP addresses.
- From Manage login access by IP address. click Manage
to open Manage login access by IP address.
From here, you can either add IP addresses one at a time, or click Import from CSV to import a list of IP addresses from a comma-separated value (CSV) file.
- To add a single IP address, click the icon to open the Add IP address to allowlist window.
- Enter the IP address (IPv4 or IPv6) you want to include.
- Select the login type: GUI, SSH (to log in to the CLI), or GUI and SSH.
- Click OK to add the address.
- To import a list of address from a CSV file:
- Click Browse and select a CSV file that contains the list of IP address to add to the allowlist.
- If necessary, set Field delimiter to the separator used in the CSV file. The default is a comma (,).
- Click Load to add the values.
- Select the column within the file to import.
- Select the login type: GUI, SSH (to log in to the CLI), or GUI and SSH.
- Click OK to add the addresses.Note: To include different addresses for the GUI and SSH allow lists, use separate CSV files.
- The addresses that you added display in the IP address table. Select whether to enforce the allowlist for GUI or SSH logins, or both, and then click Save.
- To disable the allowlist (that is, allow login access for any IP address), clear Enforce allowlist... for either GUI or SSH logins (or both).
- To remove addresses from the allowlist, select the addresses to delete and click the icon.