Entitlement Optimization

Entitlement Optimization mediates between the role of the DBA in providing users the entitlements that are required to perform their jobs efficiently, and the role of Security in keeping entitlements as accurate and as minimal as possible to prevent system vulnerabilities.

Entitlement optimization was introduced in Guardium V10.1.2.

Situations naturally arise during day to day management of the system that result in vulnerabilities, for example:
  • Over-generalized access
  • A privilege that was given to a user needed for one-time use but not removed afterward
  • Changes over time of users and tables, resulting in dormant users and tables
  • Privileges that are passed from one user to another

Entitlements require constant ongoing vigilance. For example, advanced persistent threats (APT) usually originate with one of these back door entries into the system.

Entitlement optimization constantly analyzes users’ privileges and actions, and produces recommendations that pinpoint specific actions that aim to minimize user access to only that which is required. The analysis is entirely performed by the system. The admin reviews the results, examines each case, and takes the appropriate actions, for example, removing privileges from a DB user, or deleting dormant roles.

You can also investigate entitlement changes over the past week, a complete list of users and roles, data source privileges alongside their actual usage, and a simulated justification of a specific user-role combination. These views provide information relevant to the recommendations, and are also starting points for other investigations.

The advantages of entitlement optimization over Guardium reports is that it consolidates information for all database types (that appears in multiple Guardium reports), and it adds new analyses into its own comprehensive and consolidated reports, simplifying entitlement management, and thereby increasing system security.

Entitlement optimization supports database types: Microsoft SQL Server, Oracle. It does not support SQL Contained Databases. (Guardium reports are per database type.)

Entitlement optimization activity monitoring is limited to the data currently monitored by Guardium. The accuracy of the Recommendations, Entitlement browse and What if analyses depend on the relevance of the monitored data. To fully maximize the potential of this tool, configure the userScope and objectScope parameters, and consider modifying the security policy.

Users that are dormant from the time you start monitoring with Entitlement optimization are not included in the entitlement optimization reports. To watch a specific user that is monitored but doesn't have any recommendations, manually check the activity of the user either through entitlement browse or any of the other Guardium activity monitoring tools. The tools have the full information if the policy is correctly defined.

Entitlements analysis is per Collector, and operates only on the data sources that you configure by grdapi.

The must gather feature supports entitlement optimization. See Basic information for IBM Support.

Access entitlement optimization from Discover > Database Entitlements > Entitlement Optimization