Enable scanning for sensitive data

Learn how to store database credentials and allow the discovery and classification of sensitive data.

Before you begin

Install a compliance monitoring template by following the procedure described in Set up compliance monitoring.

About this task

The following procedure describes how to create datasources by storing database credentials using the compliance monitoring tool. Storing credentials and creating datasources allows Guardium to access your databases for the discovery and classification of sensitive data.


  1. Use one of the following methods to identify where database credentials are required.
    • In the Scanning for sensitive data section of a compliance monitoring tile, look for a not enabled icon and click the associated Datasource credentials link. The compliance monitoring databases view will open to a filtered list of databases that require credentials.
    • Click the View databases link to open the compliance monitoring databases view and look for databases that do not have a datasource enabled icon in the Datasource column.
  2. From the compliance monitoring databases view, select databases that require credentials and click Datasource actions > Provide credentials.
    • If you select multiple databases and click Datasource actions > Provide credentials, the provided credentials are saved for all selected databases. When providing credentials for multiple databases, make sure that the selected databases all use the same credentials. Otherwise, databases that use different credentials will fail the connection test.

    • Storing credentials enables the discovery and classification of sensitive data for some compliance types. If automated configuration is not supported, the datasources created when you store credentials can be used in your own discover sensitive data scenarios.

  3. From the Provide credentials dialog, use the User name and Password fields to provide credentials for the selected databases. Click OK to return to the compliance monitoring database view.
  4. From the compliance monitoring database view, select databases that have stored credentials and click Datasource actions > Test connection. Use Test connection to validate that the stored credentials allow access to the database. If the connection test fails, the discovery and classification of sensitive data will not work.
    • Testing connections can be time-intensive. It is not recommended to test a large number of connections at once.
    • If a connection test fails, navigate to Setup > Tools and Views > Datasource Definitions, select the datasource, and validate the datasource definition. For example, you may need to specify the correct port for Db2 for z/OS databases, correct mixed-case PostgreSQL database names, or set other connection properties required for your environment.
    • If a Microsoft SQL Server connection test fails, verify that the SQL Server Browser Windows service is started.


After enabling scanning for sensitive data, scan results and any changes made to the policy (including changes to groups and group membership) become available after the policy is installed according to the policy installation schedule. By default, the quick start compliance monitoring tool defines a policy installation schedule that runs daily at 10:30 AM.