How to report on dormant tables and columns

Guardium® offers functionality that can help data architects and DBAs discover which tables and which fields are not being used.

About this task

The basic concept is the following. You want to know which tables are not being accessed. You upload all table names from your database or from your Configuration Management Database (CMDB) using Guardium's custom domain and custom query functions. Then you use the report (from the custom query) to populate a group of objects.

Next, you use a report that uses monitored data to show all object names that have participated in a SELECT statement. There are predefined reports for this in Guardium 8, all starting with the prefix DW (Data Warehouse). Then, use the output to populate one of the predefined groups.

Finally, use a predefined report that shows all members in the first group that are not members in the second group.

There are two sets of such reports and groups – one which focuses on tables and one which focuses on tables and columns. The only difference is that in the later case groups are of a 2-tuple type (members that are a composite of a pair of value attributes, referred to as tuple).

Let's look at an example from start to finish involving an Oracle database and the EMP user.

Follow these steps.

Upload all table names and/or all table/column combinations from the set of system catalog tables (definitions of the database objects).
Use monitored data to determine which tables and/or table/columns have been accessed over a period of time.
Create a report of all items of step 1 that are not in step 2.

The following Guardium functions are used for this task.

External Data Correlation for uploading table names and columns names
Populate groups from queries
Reporting

Procedure

Upload all the tables from the system catalog. Do this by creating a custom table.
Prerequisites
1. Define datasource/test database connection
2. Upload data (create custom table)
3. Create new domain (merge custom tables with existing reports)
See External Data Correlation for further information.

The following example is available from Comply > Custom Reporting > Custom Table Builder > Upload Definition > Import Table Structure.

When the configuration is complete, click the Retrieve button.

Configuration - Upload Definition, Import Table Structure

Upload the data so that it is in the Guardium system (as a custom table) and if desired, schedule this upload. This data will be used to determine the superset of all tables defined in the system.

Mapping all the objects (and/or objects-fields) in the system

In this example, dormant data based on table names is used. But the analysis can include columns, provided the upload tasks are defined to bring back pairs of <object,field> and use tuple groups to compare with an observed tuple of object+field.

For instances of Object-Field, replace the DW Dormant Objects report with the DW Dormant Objects-Fields report. For instances of Object-Field, replace the DW Select Object Access report with the DW Object-Field Access report.

Once you complete the upload, define a custom domain based on this single custom table and define a report that retrieves the table names.

Next, populate the group DW All Objects group from this report and schedule this Import from Query action if desired. This creates a group that has all the tables as defined by the system catalog.

Note: When populating the group DW All Objects group, it should include the information to click Run Once Now -> Select All -> Click on Import button. Do the same for Group Name "DW SELECT Accessed Objects". It needs to import all scheduled definitions.

When done, click the Save button.
Mapping the object directly
Use monitored data to determine which tables and/or table/columns have been accessed over a period of time.

Look at some additional predefined reports. The DW SELECT Object Access report shows all object names that have been accessed through a SELECT statement.

Now, populate the group DW SELECT Accessed Objects group from the report, filling in the filtering attributes that you require.

Note: When populating the group DW All Objects group, it should include the information to click in 'Run Once Now' -> Select All -> Click on Import button. Do the same for Group Name "DW SELECT Accessed Objects". It needs to import all scheduled definitions.

The following example is available from Setup > Tools and Views > Group Builder > Chose DW All Objects > Populate from Query > DW Select Object Access.

When done, click the Save button.

Configuration - Populate Group from Query, Object Name
Create a report of all items of step 1 that are not in step 2.
Use the DW Dormant Objects report to view objects that are in the all objects group, but have not been used in a Select.

Contrast this report with the earlier Report – Table Names. Notice that EMP is not in this report because it was used in a SELECT statement.

Note: Because group members are centrally managed and synchronized between the Central Manager and managed units, the content of this report may be delayed by up to 30-minutes. If you need access to the information that is most up-to-date, run this report on the Central Manager or ask your Guardium administrator to synchronize the managed unit from the Central Manager.

Further ways to access tables

Mapping objects indirectly

In addition to direct SELECT access, tables may be accessed through stored procedures and functions. In this case, you will need to do a bit more mapping to allow Guardium to calculate such SELECTs.

First, use the report DW EXECUTE Object Access to fill in the group called DW EXECUTE Objects with a set of stored procedure names that are being executed. Then, use indirect mapping to generate all the objects being used from within these procedures.

Assume that you have a procedure defined:
```
create or replace procedure num_depts(deptnums out NUMBER) is
begin
    select count(*) into deptnums from dept;
end;
```
In this case, every execution of num_depts also does a select on DEPT.

Use the “populate group from query” feature to use the Object Name column in the DW EXECUTE Object Access report to populate the “DW Execute Objects” group. Then, use this group to populate the DW EXECUTE Accessed Objects group.

In the Group Builder select the DW EXECUTE Objects from the list and click on Auto Generate Calling Prox. Select either Using Reverse Dependencies, which is supported only for Oracle in Guardium 8, or Generate Selected Objects.

If you choose to use dependencies then you will need to choose a database that has access to DBA_DEPENDENCIES and what type of dependencies to follow.

Choose to append members to the DW EXECUTE Accessed Objects group.

The following example is available from Setup > Tools and Views > Group Builder > Chose DW EXECUTE Accessed Objects > Auto Generated Calling Prox > Using Reverse Dependences > Analyze Stored Procedures.

Configuration - Auto Generated Calling Prox, Using Reverse Dependencies

This will add the dependent objects to the group DW EXECUTE Accessed Objects.