Data Security - User Hierarchy and Database Associations

You can use data security features to create a hierarchy of users and associate users to specific databases and servers. Guardium® data security features report on which users accessed what information, and ensure that only specific users see information that they are responsible for.

Follow these steps to enable and use Guardium data security features:

  1. Enable Data Security
  2. Create a User Hierarchy
  3. Create a User to Database Association
  4. Filter Results

When data security features are used with the Classification feature (which discovers and classifies sensitive data found in multiple places of the database), the Data Level Security prevents a specified user from seeing classifier results from a specified datasource (datasource definition). Using Data Level Security can also prevent a specified user from seeing Audit Task results when the task type is Classifier.

Enable Data Security

Restriction: Data Level Security and the Investigation Dashboard cannot be enabled concurrently.
  1. Log in as the admin user and open the Global Profile by clicking Setup > Global Profile.
  2. Click Enable for Data level security filtering.
    Note: The status indicator icon for Data level security filtering will now appear as Data level security filtering enabled.

    You can verify that Data level security filtering is enabled by referencing the Services Status panel (Setup > Services Status).

  • With data level security filtering enabled, log in as the accessmgr to use the User Hierarchy and User-DB Association features.

Create a User Hierarchy

The User Hierarchy shows you the parent-child relationships between all users. User hierarchies permit the parent of the relationship to look at specified servers and databases, but not the children.

Log in as accessmgr and open the User Hierarchy by clicking Data Security > User Hierarchy.

Do one of the following:
  • Click Update Active User-DB Map to view the full hierarchy of users.
  • Use the Roles and Users filters to view the hierarchy for a specific user or role. Right-click a node in the hierarchy to expand or collapse the tree, or add a user to a specific hierarchy.
  • Click Refresh Cached Hierarchy to update the hierarchy.
Note: Depending on the configuration, inheritance can also take place where the parent inherits the data-level security of the child.

Create a User to Database Association

The User-DB Association feature maps users to specific databases to ensure that users see only data that they are permitted to view.

Log in as accessmgr and open the User-DB Association by clicking Data Security > User-DB Association.

Do one of the following:
  1. View the current mapping of users to databases by clicking Update Active User-DB Map.
  2. Create a new User-DB association map by selecting options from the Server & Service Name Suggestion list and clicking Go.
    Note: Once the map is updated, you will see a tree listing all your servers. Click any node in the tree to view which users are currently associated with that node.

    If you are using dual-stack configuration, there is a root node, and two trees of addresses to choose from. One tree is for the IPV4 address, and the longer tree is for the IPV6 address.

    Add a user or group to a node by selecting the node and clicking Add user or Add group.

Central Management

On a Central Management appliance, there is also a box on the User-Database Associations screen that allows a user to create database associations based on data from a managed node. Select a remote source from only a box that appears for Central Management appliances. Also, there is a check box to get data from ALL managed nodes.

Filter Results

Data level security at the observed data level requires the filtering of data for specific users and the specific databases they are responsible for.

Filtering at the system level is based on the User Hierarchy and User-DB Association so that users will see only information from their assigned databases for the various reports, audit processes, security assessments, and so on, within the Guardium system.

Log in as the admin user and use the Global Profile to filter results. Open the Global Profile by clicking Setup > Global Profile.

  • Default filtering:
    • Show all - This option is available only if the user logged in has the special role datasec-exempt defined, which allows the user to see all data as if there was no data level security.
    • Include indirect records - This check box shows the viewer not only the rows that belong to the user logged in, but also all the rows that belong to other users within that hierarchy.
  • Audit Process Escalation: Escalation is allowed for tasks on this type only to users who have the datasec-exempt role. Users without the datasec-exmpt role are not shown in the escalation list.

    Escalate results to all users - A check mark in this check box escalates audit process results (and PDF versions) to all users, even if data level security at the observed data level is enabled. The default setting is enabled. If the check box is disabled (no check mark in the check box), then audit process escalation only will be allowed to users at a higher level in the user hierarchy and to users with the datasec-exempt role. If the check box is disabled, and there is no user hierarchy, then no escalation is permitted.

  • PDF and CSV generation for results (attached to email) distribution will use the default global profile values set in Administration Console parameters.
  • PDF and CSV generated from the viewer will use the same filtering as in the screen.
Note:

The Data Security User to Database Association filters reports only from the following domains: Access; Exception; and, Policy Violations (as well as custom domains using these domains or tables from these domains). All other domains (reports) are not filtered by the Data Security User to Database Association.

Users with admin role will be able to see event types on all roles (the information will still be filtered based on observed data level security parameters).

If Data Level Security is turned on, predefined entities added to a custom domain need to be in the same domain(s) for the data level security filtering to work properly.

If Data Level Security is on, and two predefined entity subjects are trying to send data from two domains (not Custom Domains) that are using a filtering policy, then the sending of the two predefined entity subjects will not be permitted. Data Level Security can only enforce one kind of filtering policy (for example, there can be only one policy depending on server_ip/service_name and one policy depending on datasource).