IBM Guardium

IBM Guardium

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Guardium Policy design

    Posted Mon February 17, 2025 06:17 AM

    Dear experts,

    we have a requirement to monitor  "Any action that grants or revokes object privileges from a role or account".

    the example of this Use-Case will be "Grant update on employee to moaz".

    example:

    so we need to design a use-case that can monitor above query.

    as you know Guardium only understands "GRANT" as a "sql verb" 

    the question is: the permission  "Update" should be parsed under which attribute?

    if not parsed  how can I make Guardium pare the "update" permission?
    or how can i make Guardium understand the combination of  "Grant  & Update" as a  Sql verb?
    Best regards,


    ------------------------------
    Moaz Saadeldin
    ------------------------------


  • 2.  RE: Guardium Policy design

    Posted Tue February 18, 2025 02:56 AM

    Hi,

    the best option is to use SQL criteria rule with "Pattern" and develop a regular expression that matches on your criteria.

    Thanks,



    ------------------------------
    Essa Alshaikh Ali
    ------------------------------

    Original Message


  • 3.  RE: Guardium Policy design

    Posted Tue February 18, 2025 03:34 AM
    Edited by Sachin Marawar Tue February 18, 2025 03:35 AM

    Hi Moaz,

    I tried this in one of my Oracle test systems and was able to capture the GRANT UPDATE ON TABLE TO USER sql.

    I believe that the organics are just in object and sql verb and field attribute in case involved.
    The rest of the permissions related portion UPDATE ON TABLE TO USER will be considered as an SQL statement as you can see in the report that I could fetch.

    And if you want to capture this type of sql command then you can use the filter of Command like "GRANT UPDATE%" as suggested by "Essa" in earlier comment.



    BR,
    -Sachin



    ------------------------------
    Sachin Marawar
    ------------------------------

    Original Message


  • 4.  RE: Guardium Policy design

    Posted Tue February 18, 2025 03:50 AM

    Hi Essa Alshaikh Ali and Sachin Marawar 

    As Essa said "Pattern" should be the best option for such use-case.

    yesterday I designed this regex " ^(grant|revoke)\s+(SELECT|INSERT|UPDATE|DELETE|EXECUTE|REFERENCES|ALTER|CONTROL|TAKE OWNERSHIP|IMPERSONATE)(\s+(SELECT|INSERT|UPDATE|DELETE|EXECUTE|REFERENCES|ALTER|CONTROL|TAKE OWNERSHIP|IMPERSONATE))*(\s+\w+)+$"

    and it's matching the queries like "grant select insert update on employee to moaz" or "grant delete on employee to moaz" or "revoke select insert update on employee from moaz"

    I'm still trying to develop the regex to cover most queries options,

    thanks a lot for your help Essa and Sachin,

    Best regards,



    ------------------------------
    Moaz Saadeldin
    ------------------------------

    Original Message


  • 5.  RE: Guardium Policy design

    Posted Tue February 18, 2025 08:21 AM

    Hi @Moaz Saadeldin,

    Such regexes are very not efficient. From other side since you wrote:

    we have a requirement to monitor  "Any action that grants or revokes object privileges from a role or account".

    You can save the effort using SLP criteria STATEMENT and define group with any desired content like:

    Thanks



    ------------------------------
    LEONID Rodniansky
    ------------------------------

    Original Message