Access Management Overview

Access management consists of four tasks: account administration, maintenance, monitoring, and revocation.

Access Management is separate from system administration duties.

There are two predefined users on a Guardium® appliance: accessmgr and admin.

accessmgr is the user name assigned to the access manager. By default, the access manager is the only user authorized to manage user accounts and security roles.
admin is the user name assigned to the (primary) Guardium administrator. By default, the administrator does not have authority to manage user accounts or security roles. The admin user has a more extensive set of privileges.

Note:

Admin and accessmgr roles can not be assigned to the same user. The same user may contain both of these roles through a legacy situation or as a result of an upgrade. However, current use will not allow the two roles to be assigned to the same user.

In the past, when a unit was upgraded, the accessmgr role was assigned to the admin user, and the accessmgr user was disabled. In this upgrade situation, it was necessary to first log in as admin and enable the accessmgr user, then log in as accessmgr (with initial password accessmgr, the system prompted the user to change it), and remove the accessmgr role from the admin user.

Access Management Selection

User Browser - Manage users
Role Browser - Manage permissions and customize layouts for roles
Role Permissions - Manage application permissions
LDAP User Import - Import users from LDAP

Data Security Selection

Datasources Associated
Datasources Not Associated
Servers Associated
Servers Not Associated
User Hierarchy
User-DB Association

Predefined Reports from Accessmgr

The following predefined reports are available from the Accessmgr user.

User and Role Reports

Defining and modifying users (see Manage Users) involves deciding both who will be using the Guardium system and to what roles (see Manage Roles) they will be assigned. A role is a group of users, all of whom are granted the same access privileges.

The User and Role Reports consist of reports:

User - Role -- a report that shows, by user, the number of roles that user belongs to.
All Roles - User -- a report that shows, by role, the number or users that belong to that role.

Note: admin and access manager are pre-existing, other roles are created by the Access manager.

The following reports are available on a Central Manager or a standalone unit. If trying to use on a managed machine, an error message will appear. Servers Not Associated will show servers from ALL managed units in Central Manager systems.

Datasources Associated

This report identifies Datasource Name, Host, Service Name, Login Name and Association Type. This information comes from the choices made in the User-Database Associations activity. See the Data User Security - Hierarchy and Associations help topic.

Datasources Not Associated

This report is a list of datasources not associated with any users. This report identifies Datasource Name, Datasource Type, Host, and Service Name. This information comes from the choices made in the User-Database Associations activity. See the Data User Security - Hierarchy and Associations help topic.

Servers Associated

This report identifies Server IP, Service Name, Login Name and Association Type. This information comes from the choices made in the User-Database Associations activity. See the Data User Security - Hierarchy and Associations help topic.

Servers Not Associated

This report is a list of servers not associated with any users. This report identifies Server IP and Service Name. This information comes from the choices made in the User-Database Associations activity. See the Data User Security - Hierarchy and Associations help topic.