Guardium® administrators perform various administration and maintenance tasks.
Any user assigned the admin role is referred to as a Guardium administrator. The admin role is distinct from the admin user account. The Guardium Administrator role is accountable for the usage of the admin and CLI IDs in production systems.
Admin role privileges
- The privacy sets that they own (that is, that they created).
- Any privacy sets that are assigned a security role that is also assigned to that user.
CLI diag command access
Use of the diag CLI command requires an additional password, which can be the password of any user with the admin role.
If automatic account lockout is enabled (where a user account is locked after a specified number of login failures), the admin user account can be locked after a number of failed login attempts. If that happens, use the unlock admin CLI command to unlock it.
Admin user privileges
The admin user has extra privileges that are not granted to the admin role, as follows:
- Access to all users' to-do lists
- Owner of imported definitions
- Access management functions
Admin user To-Do List powers
The To-do List is a workflow automation feature that controls the distribution of audit process results to users. The admin user has special privileges and responsibilities in this area. If a user account is disabled, all audit process results for that user are automatically reassigned to the admin user. If a user is unavailable for any other reason, audit process results are installed in that user's to-do list; that is, awaiting sign-off before they are released to the next results receiver. The admin user can open any user's to-do list, and take any actions that are available to that user. When the admin user performs any actions on another user's to-do list, that fact is noted in the audit process activity log, for example, User admin signed results on behalf of user x.
Imported definition ownership
When definitions are exported, all roles are removed, and the owner is changed to the admin user. This is the only way to control how the definition will be used on the importing system.
Access management and the administrator
For security purposes, a separation of duties exists between the access manager and admin. Admin users cannot have access manager privileges, and vice versa.
The next time the admin user logs in, access manager functionality will be available to them. This is possible for the admin user only (and not for other users that have the admin role).
The same user can contain both of these roles through a legacy situation or as a result of an upgrade. However, current use does not allow the two roles to be assigned to the same user.
In the past, when a unit was upgraded, the accessmgr role was assigned to the admin user, and the accessmgr user was disabled.
In this situation, to configure the accessmgr and admin, log in as admin and enable the accessmgr
user, then log in as accessmgr (the default initial password is
remove the accessmgr role from the admin user.