Audit process receivers

Use the audit process builder to send audit process output to many different people or groups (receivers). These process receivers can view and manage audit process output.

Audit process receivers are notified via email or their To-Do list of pending audit process results. You can designate any receiver as a signer for a process. In this case, the results can be held at that point on the distribution list until that receiver electronically signs the results or releases them.

You can define any number of receivers for a workflow automation process, and you control the order in which they receive results. In addition, receivers can notify other receivers, using the Escalate function. It is also possible to run an audit process with no defined receivers. For example, you can create an audit process with no receivers that writes to syslog and has no need to review (or sign) the results.

Adding receivers

From the Audit Process Builder,
  1. Open the Send results ribbon and then click Add receiver to open the New Receiver window.
  2. From the New Receiver window, select a Receiver type, which can be one of the following:
    • Role - Select a role from the Role list. Guardium sends results to all users with the specified role.
    • Email - Specify an address in Email address. Guardium sends results to the specified email address. In addition, you can select the following options:
      • Email format - Choose whether to send results as a PDF or in CSV format.
      • Approve if empty - Automatically approve this report if no results are returned.
      • Do not include online links to reports in email - Remove links to online reports from the notification email. Select this option if the receiver might not have access to Guardium system.
    • User Group - Select or create a new user group in the Group list. Guardium sends results to all users that are members of the group.
    • User - Select a user from the User list or click Search Users to find a user to add. Guardium sends results to the specified user.
    • Ticket- Click Search icon to begin searching for either a user or group to whom to assign this ticket.
      1. From the Search Users or Search Groups window, enter the name of the user or group.
      2. Click Search.
      3. Select a user or group, then click Add.
      Guardium assigns the ticket to the specified user or group.
  3. For Role, User Group, and User receivers, you can set the following options:
    • Action - Select any of the following actions:
      • Review - The receiver does not need to sign the results.
      • Sign off - The receiver must sign the results (electronically, by clicking Sign Results when viewing the results online). For user groups, if Sign off is selected, all members of the group must sign.
      • Approve if empty - Automatically approve this report if no results are returned.
      • Add to to-do list - Send a notice of to the user's audit process to-do list. For more information, see Audit Process To-Do List.
    • Email format - Select an email format:
      • None - Do not send email to the receiver.
      • Links only - Include hypertext links to the results (on the Guardium system).
      • Full results - Include a copy of the results in PDF or CSV format.
        Note: Results from Security Assessment or Discover Sensitive Data tasks might return sensitive information.
    • Distribution sequence - Select whether audit process results are sent to all receivers at the same time (Simultaneous) or only after the previous receiver reviews or signs off on the results (Sequential).

Receiver details

When you select Role or User Group as a receiver, all users that belong to the group or having that role receive the results.

If you select a group receiver, and any workflow automation task uses the special runtime parameter ./LoggedUser in a query condition, then the query executes separately for each user in the group, and each user receives only their results.

For example, assume that your company has three DBAs, and each DBA is in charge of a different set of servers. You use the Custom Data Upload facility to upload the areas of responsibilities of each DBA (with server IPs) to the Guardium® system. You can correlate that to the database activity domain, and then use a report in this custom domain as an audit task. If a user group that contains the three DBAs is designated as the receiver, each DBA receives the report relevant only for their collection of servers.

If you specify a group receiver and require sign-off, each member of the group must sign the results separately (as explained earlier, each member of the group may be looking at a different set of results).

If you select Email as the receiver, the results are sent to the specified email address. When you specify an email address, that address that is used to filter the data. The email address must belong to a user who is logged in or is under the user in the data hierarchy.

If you specify a role receiver, only one user with that role needs to sign the results. The other users with that role are notified when the results are signed.

Note: Be sure to configure audit processes so that all roles that act on an event associated with an audit process are receivers of that audit process. When you create a workflow event, you can assign a role to every status that is used by that event (that is, users with that role can only see events when the event is in the specified status).  When you assign an event to an audit process, it is important that every role that is assigned to a status of this event have a receiver on this audit process.  Otherwise, an audit result row can end up with a status where none of its receivers are able to see this row or change its status.

If this situation occurs, the admin user (who can see all events, regardless of their roles) can see the row and change its status. However, if data level security is on, the admin user might not be able to see this row. In this case, the admin user must either turn off data level security (from Global Profile) or have the dataset_exempt role.

Hypertext links to process results

In email messages, there are conditions where links to process results on the Guardium system will not work. For example:

  • If you access email from a location where you cannot normally access the Guardium system, the links do not work. For example, if you are on your personal computer, you might have access to your email over the Internet, but not to your company's private network or LAN, where the system is installed.
  • If you have not accessed your email for a longer period of time than the report results are kept, those results are not available when you click the link. For example, if results are kept for seven days, and you take a two week vacation, your email may contain links to results older than seven days, and those links will not work.

Modifying the receivers list after an audit process runs

After an audit process runs, any user can add, edit, delete, and rearrange receivers on the receivers list. From the Audit Process Builder, select an active audit process and open its Send results ribbon:

  • Click new icon, edit icon, or remove icon to add, edit, or delete receivers.
  • Click reorder icon to enable the reorder controls and change the position of receivers in the list.
Changes to the receivers list are tracked in the User Activity Audit Trail report. From the report, right-click an UPDATE activity type, select Detailed Guardium user activity, and look for Audit process entries under the Modified entity column.
Note:

The ability to modify the receivers list for an active audit process is available only with patch 475 or later installed. For Guardium 11.4 at earlier patch releases, the active receivers list is frozen after an audit process run.

If you delete the Guardium user account for a receiver on the list, Guardium substitutes the admin user account (which is never deleted) for that receiver. In this case, the admin user receives any email notifications that are sent to a deleted receiver, and the admin user must act upon any results released to that receiver.

How results are released to receivers

Results are released to the Guardium users listed on the receivers list, subject to the Continuous check box, as follows:

  • If the Continuous check box is marked, distribution continues to the next receiver on the list without interruption.
  • If the Continuous check box is cleared, distribution to the next receiver is held until the current receiver performs the required action (review or sign).

For example, assume you want to define a workflow process for DBAs:

  1. All DBAs should receive their results at the same time, with each DBA receiving a different result set based on the server IPs with which they are associated.
  2. Only when ALL DBAs have signed, the DBA Manager should see the results.
  3. Only when DBA Manager releases the report, the Auditors should see the results.
  4. All Auditors should receive the reports at the same time, but only one of them (any of them) needs to sign each result.  The others will be updated when a result was signed.
  5. An auditor can escalate a result to the Audit Manager.

To define this flow:

  • The DBAs group would be named as the first receiver.
  • The DBA Manager would be next on the list.
  • The Auditors role (not group) would be next on the list. Any Auditor could sign and others will be notified. Also, any auditor can escalate a results set to the Audit Manager.
    Note: The results will only distribute to the next receiver when the current receiver has marked the Continuous button. This is completely separate from the review/sign functionality and does not depend on the review/sign functionality all.
    Note: Process results that are exported to CSV or CEF files are sent to another network location by the Guardium archiving and exporting mechanism. These results are not subject to the receivers list or to any signing actions. They are subject to the Guardium CSV/CEF export schedule (if any is defined), and they are subject to the access permissions that have been granted for the directory in which they are ultimately stored.

View or sign results

  1. Open the Compliance Workflow Automation results.
  2. If signing is required, click the Sign Results button.
  3. Optional. To forward these results to another user, click Escalate, and see Forward Results to Additional Receivers (in Escalation section).
  4. Click Close this window link.
Note: If there are outstanding events, then the results cannot be signed either from the audit viewer or from the To-do list. If there are outstanding events and an attempt is made to sign the results, the following message appears: 
Audit process cannot be signed - has pending events.

Please update all outstanding events prior to signing this result.
Note: When viewing audit process results, if a result has events associated with it, the Sign Results button is not available on this result until all events are in a Final state or cannot be seen by this user (due to data-level security).
Note: This report also contains a date or Last Action Time, located in a column between Receiver and Status. This report shows that the result was signed by user AAA, but also when this user AAA signed this result.

Release results without signing or viewing

  1. Open your To-Do List panel.
  2. Click the Continue button for the results you want to release to the next receiver on the distribution list.
  3. Click Close this window link.

View Results Distribution

  1. Open the compliance workflow automation results.
  2. Expand the Distribution Status panel by clicking the (Show Details) button.
  3. Click Close this window link.

View receiver comments added to results

  1. Open the compliance workflow automation results.
  2. Expand the Comments panel by clicking the Show Details button.
    Note: These are the comments that were attached to the results when the report page was retrieved from the Guardium system. If you add comments of your own, or if other receivers are adding comments simultaneously, you will not see those comments until you refresh your page (using your browser Refresh function).
  3. Click Close this window link.

Escalate process results

A receiver of process results can forward the results notification for review and/or sign-off to additional receivers. If you escalate the results to a receiver outside of the original audit and sign-off trail, and the results include a CSV file, that file will not be included with the notification.

Regardless of who is a receiver of an audit result, an escalation can involve any user on the system, provided the Escalate result to all users box is checked in the Setup > Tools and Views > Global Profile menu. A check mark in this box escalates audit process results to all users, even if data level security at the observed data level is enabled. The default setting is enabled. If the check box is disabled (no check mark in the check box), then audit process escalation will only be allowed to users at a higher level in the user hierarchy. If the check box is disabled, and there is no user hierarchy, then no escalation is permitted.

Also, depending on event permissions, if for example, the infosec user can only see events in status1 and dba user can only see events in status2, the dba user will receive a different result than the result the infosec user saw when the infosec user clicked Escalate.  It is possible that infosec will escalate to dba, and dba will receive an audit result with 0 rows in it.

  1. If the compliance workflow automation results you want to forward are not open, open them now.
  2. Click Escalate.
  3. Select the receiver from the Receiver list.
  4. In the Action Required column, select Review (the default) or Review and Sign.
  5. Click the Escalation button to complete the operation.
Note: Audit process results cannot be escalated to a group of users, only to users or roles.

When escalating to a user who already has the result in the user's to-do list, a popup message will appear, asking if an additional email should be sent. If yes, an additional email will be sent to the user, but the to-do list will not be incremented.