Understanding Roles

Assign a role to a Guardium user to grant them specific access privileges. Some examples of roles are: CLI, admin, accessmgr, CAS, and user.

The access manager defines roles and assigns them to users and applications. When a role is assigned to an application or the definition of an item (a specific query, for example), only those Guardium users who are also assigned that role can access that component.

When user definitions are imported from an LDAP server, the groups to which they belong can optionally be defined as roles. For more information, see Importing Users from LDAP.

Note: When assigning roles to a user, the admin and access manager role cannot be assigned to the same user.
Note: Custom-created roles cannot be combined with default-provided roles (examples are user, admin, accessmgr, cli, inv, datasec-exempt, review-only).
Note: Admin role and object owner have access to all objects by default.
Note: Taking a base role and customizing (with additional navigation items), and then copying this customized role, will result in a loss of the customization if the customized or copied role is reset to default.

Default Roles

The Guardium system is pre-configured to support users who fall into four broadly defined default roles: admin, user, access manager, and investigations. The Guardium access manager can create new roles as well.
Note: Note: If data level security at the observed data level is enabled (see Global Profile settings), then audit process escalation is allowed only to users at a higher level in the Data Hierarchy (see Access Manager). The Datasec-exempt user can escalate, without restrictions, to anyone.
Table 1. Default Roles
Default Role Description


Provides the default layout and access for all common users. This role can not be deleted.


Provides the default layout and access for Guardium administrators. Do not confuse the admin role with the admin user, which is a special user account having the admin role, but also having additional powers that are reserved for the admin user account only. This role can not be deleted.


Provides the default layout and access for the access manager. This role can not be deleted.


Provides access to CLI. The admin user has default access to CLI. Everyone else must be given permission when users are created by access manager and roles specified. The access manager can define as many users in the system and give them the CLI role. These users have access to the CLI and all activities of their CLI sessions are associated with this user.

To run GrdAPI or CLI commands without admin rights, click the role CLI for Admin Console in the User Role Permissions selection.

See the topic, diag CLI Command, on how to manage the diag role.


Provides the default layout and access for investigation users. An investigation user must have the restore-to database name of INV_1, INV_2 or INV_3, as the Last Name in their user definition. This is not enforced by the GUI, but is required for the application to function properly. When assigned, the user role must also be assigned. This role can not be deleted.

Note: The Ad-Hoc Process for run once now button is available on all report screens for all users except investigation (INV) user.


Data Security - Exempt. This role is activated when Data level security is enabled (see Global Profile in Administration Console) and the datasec-exempt role has been assigned. If the user has this role, a Show all check box appears in all reports. If checked, all sniffed data records are shown (no filter is applied). This role cannot be deleted in the Role Browser.


A user that is specified by this role can view only results (Audit, Assessment, Classifier), Audit Results and the To Do List. This role cannot be deleted in the Role Browser.

Users with this role is allowed to enter comments in the audit process viewer (not workflow or comments/data per row, but comments at process/result level).

Users with this role cannot perform any changes/actions on any workflow automation result (escalate, reassign, etc).

Sample Roles

In addition to the default roles, a set of sample roles is also defined.

Table 2. Sample Roles
Sample Role Description


Users who have a database-centric view of security, allowing access to database-related reports and tracking of database objects


Users who have an information security focus, including tracking access to the database, and handling network requests, audits, and forensics


Users who have a network-centric view, including IP sources for database requests


Application developers, architects, and QA personnel who have an application-centric focus and want to track and report on SQL streams generated by an application


Auditors and others who need to view audit reports

Note: If trying to copy this role, an embedded message will appear explaining that not all aspects of this role can be copied. The message is: "Create a new role using the layout and permission from the "audit" role. Special privileges and actions associated with the "audit" role will not be copied."


This role is used to track or log when an audit process result has been deleted. Users with the audit-delete role can delete reports. Admin users can also delete reports. Tracking is done through the User Activity Audit Trail report.


A user that is specified by this role can only access the admin console tab.


Configuration Auditing System (CAS)


A user that is specified by this role can view only vulnerability results.


A user that is specified by this role can access and run the diag commands in CLI.


A user that is specified by this role can define and modify the workload-replay functions.


A user that is specified by this role can run the workload-replay functions.


A user that is specified by this role can define and modify the File Activity Monitor functions.


Accelerator - Basel II. This role can not be deleted.

Basel II Part 2 Sections 4 and 5 require that banking institutions must define a Securitization Framework around financial information and estimate the associated operational risk.


Accelerator - DataPrivacy. This role can not be deleted.

The Data Privacy Accelerator delivers a portfolio of pre-configured policies, real-time alerts, and audit reports that are specifically tailored to the challenges of identify theft and based on industry best practices. With the Data Privacy Accelerator, security managers, privacy officers, and database administrators begin by defining combinations of data elements – called "privacy sets" – whose access may indicate hacking or inappropriate activities by internal users.


Accelerator - GDPR. This role can not be deleted.

The Guardium GDPR accelerator provides predefined reports based on GDPR groups and policies. To begin working with the GDPR accelerator, assign the GDPR role to a Guardium user, then navigate to Accelerators > GDPR with that user account.


Accelerator - PCI. This role can not be deleted.

The PCI DSS is a set of technical and operational requirements designed to protect cardholder data and applies to all organizations who store, process, use, or transmit cardholder data. Failure to comply can mean loss of privileges, stiff fines, and, in the case of a data breach, severe loss of consumer confidence in your brand or services. The IBM Guardium accelerator helps guide you through the process of complying with parts of the standard using predefined policies, reports, group definitions, and more.


Accelerator - SOX. This role can not be deleted.

SOX Section 404 requires that companies must establish and maintain an adequate internal control structure and procedures for financial reporting.

Roles in a Central Manager Environment

In Central Manager environments, all User Accounts, Roles, and Permissions are controlled by the Central Manager. To administer any of these definitions, you must be logged in to the Central Manager (and not to a managed unit).

Create a Role

  1. Login as accessmgr, and open the User Role Browser by clicking Access > Access Management > Role Browser.
  2. Click Add Role to open the Role Form panel.
  3. Enter a unique name for Role Name and click Add Role.

Remove a Role

  1. Open the User Role Browser by clicking Access > Access Management > Role Browser.
  2. Click Delete for any role (some roles cannot be removed, and do not have the Delete option). This opens the Role Form for the role.
  3. Click Confirm Deletion. A message displays informing you that all references to the role are removed, and you will be asked to confirm the action.
  4. Click OK to confirm the deletion, or Cancel to abort the operation.