Export/Import Definitions

If you have multiple systems with identical or similar requirements, and are not using Central Management, you can define the components that you need on one system and export those definitions to other systems, provided those systems are on the same software release level.

You can export one type of definition (reports, for example) at a time. Each element that is exported can cause other referenced definitions to be exported as well. For example, a report is always based on a query, and it can also reference other items, such as IP address groups or time periods. All referenced definitions (except for security roles) are exported along with the report definition. However, only one copy of a definition is exported if that definition is referenced in multiple exported items. An export of policies or queries exports only the groups that are referenced by the exported policies or queries. Previously an export of policies or queries would export all groups.

Export/Import Definitions
Export and Import Definitions are used to save and then restore functional data from a given Guardium system. For example, this function enables you to create a report on one Guardium system and then import that same report onto another server with the same Guardium installed version.
Note: This function is not the same as a full backup of the server. Backups should still be defined and run on a scheduled or manual basis.
Export Definitions - Are used to save and share defined functional values such as Reports/Queries, CAS data, Classifier Data, and so on. The export types are saved onto your PC as a .sql file type.
Import Definitions - This function is used to import the exported definitions onto servers that use the SAME Guardium Software version. For example, if you export definitions from a Guardium V10 system, then you can import those definitions only onto another V10 system.

  • When you export graphical reports, the presentation parameter settings (colors, fonts, titles, and so on) are not exported. When imported, these reports use the default presentation parameter settings for the importing system.
  • Subscribed groups are not exported. When you export definitions that reference subscribed groups, the user must ensure that all referenced subscribed groups are installed on the importing appliance (or Central Manager in a federated environment).
  • The logs of Export/Import Definitions have the same retention period than the monitored database activity logs.
  • Comments are not included in export.
  • When audit process definitions of scheduled runs (including schedule time) are exported to another system, the ACTIVE check box in Audit Process Builder is not checked (INACTIVE).
  • Schedule Start Time of an audit process defined on one appliance and exported to another (unrelated) appliance - In the case that the original schedule start time is defined, it is retained. If the original schedule start time is not defined (empty), then the imported schedule start time is set to the time it was imported.
  • When you export a datasource with an open source driver, the open source driver is not included in the export. The user needs to first upload the open source driver into the new system before importing the datasource definition that was created using it, otherwise the data direct driver will be substituted for the open source driver when it is imported.
  • Large complex imports can take a very long time and can exceed the length of the user's session. If this happens and the session times out, the import continues to run in the background until it completes.
  • When you export the definition of classifier policies - any custom evaluation classes associated with the policies are not exported with the definition. For the imported policies to work custom evaluation classes must be uploaded separately.
  • Exporting/Importing definitions between different languages does not work. For example, trying to export a file from a Guardium® system with a language of Simplified Chinese and import that file to a Guardium system of English will not be successful.

Export to XACML Protocol

Guardium supports export of Policy Rules to a XACML file, and import of XACML files to another Guardium system.

The XACML (eXtensible Access Control Markup Language) is a declarative access control policy language that is implemented in XML and a processing model, describing how to interpret the policies.

The export/Import to standard XACML is used as a bidirectional interface to transfer policies rules between Optim Designer and Guardium.

Optim Designer can convert data values for various purposes and through various means. In the core Optim runtime (z/OS and Distributed) this is achieved through the invocation of data privacy functions that are declared within column maps. In Optim Privacy this is specified, by the user, as the application of a data privacy policy on an attribute, referenced by an entity within a data access plan.

Customers who bought both products, Optim Privacy and Guardium, will be able to Export to XACML the policies and privacy information from one product and Import to the other product.

Note: XACML imports from previous versions of Guardium are not supported.
To export Guardium policies to XACML, follow these steps:
  1. Click Manage > Data Management > Export.
  2. Select Policy from the Type menu.
  3. Check the Export to XACML File check box.
  4. Select definitions from the Definitions to Export menu.
  5. Click Export.

To Import an XACML file from another Guardium system or Optim Privacy, open the Definitions Import by clicking Manage > Data Management > Import.

Importing Groups

When you import a group that already exists, members may be added, but no members will be deleted.

Importing Aliases

When you import aliases, new aliases may be added, but no aliases will be deleted.

Ownership of Imported Definitions

When a definition is created, the user who creates it is saved as the owner of that definition. The significance of this is that if no security roles are assigned to that definition, only the owner and the admin user have access to it.

When a definition is imported, the owner is always changed to admin.

Roles for Imported Definitions

References to security roles are removed from exported definitions. So any imported definitions will have no roles assigned.

Users for Imported Definitions

A reference to a user in an exported definition causes the user definition to be exported. When definitions are imported, the referenced user definitions are imported only if they do not exist on the importing system. In other words, existing user definitions are never overwritten. This has several implications, as described in Duplicate Role and User Implications.

In addition, imported user definitions are disabled. This means that imported users can receive email notifications that are sent from the importing system, but they are not able to log in to that system, unless and until the administrator enables that account.

Duplicate Group and User Implications

If a group that is referenced by an exported definition exists on the importing system, the definition of that group from the exporting system will not be not imported. This may create some confusion if the group is not used for the same purposes on both systems.

If a user definition exists on the importing system, it may not be for the same person that is defined on the exporting system. For example, assume that on the exporting system the user jdoe with the email address john_doe@aaa.com is a recipient of output from an exported alert. Assume also that on the importing system, the jdoe user already exists for a person with the email address jane_doe@zzz.com. The exported user definition is not imported, and when the imported alert is triggered, email is sent to the jane_doe@zzz,.com address. In either case, when security roles or user definitions are not imported, check the definitions on both systems to see if there are differences. If so, make the appropriate adjustments to those definitions.

Definition Types for Exporting

Table 1. Definition Types for Exporting
Can Be Exported Cannot be Exported


Custom Alerting Class

A check box in the Definitions export screen will Exclude group members. See description in Group line item.


Custom Assessment Test

Audit Process

Custom Identification Procedure

Auto-discovery Process


CAS Hosts


CAS Template Sets


Classification Process

Access Rule

Classifier Policy


Custom Class Connection Permission


Custom Domain


Custom Table




Event Type



 A check box in the Definitions export screen will Exclude group members. This check box is visible only for data sets that have groups somewhere in the export hierarchy (for example, export of an alert includes also the query of the alert and the query might include groups in the query conditions). If the export of datasource does not include groups, the checkbox is not visible. When that checkbox is set, the export file includes groups (if groups are linked to the exported definition) but members of the groups are not exported. The checkbox is not set by default, its state is not persistent, and only applies to the current export.

Named Template


Period (time period)


Policy (but not an included Baseline)


Privacy Set







A check box in the Definitions export screen will Exclude group members. See description in Group line item.




Security Assessment




Users database mapping


Users database permission


Users Hierarchy


Export Definitions

  1. Open the Definitions Export pane by clicking Manage > Data Management > Export.
  2. Select an option from the Type menu. The Definitions to Export menu will be populated with definitions of the selected type.
  3. Select all of the definitions of this type to be exported.
    Note: Do not export a Policy definition whose name contains one or more quote characters. That definition can be exported, but it cannot be imported. To export such a definition, make a clone of it, naming the clone without using any quote characters, and export the clone.
  4. Click Export. Depending on your browser security settings, you may receive a warning message asking if you want to save the file or to open it using an editor.
  5. Save the exported file in an appropriate location.

Import Definitions

  1. Open the Definitions Import pane by clicking Manage > Data Management > Import.
  2. Click Browse to locate and select the file.
  3. Click Upload. You are notified when the operation completes and the definitions contained in the file are displayed. Repeat to upload additional files.
  4. Use the Fully synchronize group members checkbox to set the behavior of how to add new group members imported directly or via other datasets such as queries or policies. If not checked, new members that are in the import are added, but members not in the import are not removed. If checked, then group members not in the import are removed. Use the Set as default button next to the checkbox to save the checkbox setting.
  5. Click Import this set of Definitions to import a set of definitions, or click Remove this set of Definitions without Importing to remove the uploaded file without importing the definitions.
  6. You will be prompted to confirm either action.
    Note: An import operation does not overwrite an existing definition. If you attempt to import a definition with the same name as an existing definition, you are notified that the item was not replaced. If you want to overwrite an existing definition with an imported one, you must delete the existing definition before performing the import operation.