IBM Guardium

 View Only

  • 1.  Guardium Policy design

    Posted 9 days ago

    Dear experts,

    we have a requirement to monitor  "Any action that grants or revokes object privileges from a role or account".

    the example of this Use-Case will be "Grant update on employee to moaz".

    example:

    so we need to design a use-case that can monitor above query.

    as you know Guardium only understands "GRANT" as a "sql verb" 

    the question is: the permission  "Update" should be parsed under which attribute?

    if not parsed  how can I make Guardium pare the "update" permission?
    or how can i make Guardium understand the combination of  "Grant  & Update" as a  Sql verb?
    Best regards,


    ------------------------------
    Moaz Saadeldin
    ------------------------------


  • 2.  RE: Guardium Policy design

    Posted 8 days ago

    Hi,

    the best option is to use SQL criteria rule with "Pattern" and develop a regular expression that matches on your criteria.

    Thanks,



    ------------------------------
    Essa Alshaikh Ali
    ------------------------------

    Original Message


  • 3.  RE: Guardium Policy design

    Posted 8 days ago
    Edited by Sachin Marawar 8 days ago

    Hi Moaz,

    I tried this in one of my Oracle test systems and was able to capture the GRANT UPDATE ON TABLE TO USER sql.

    I believe that the organics are just in object and sql verb and field attribute in case involved.
    The rest of the permissions related portion UPDATE ON TABLE TO USER will be considered as an SQL statement as you can see in the report that I could fetch.

    And if you want to capture this type of sql command then you can use the filter of Command like "GRANT UPDATE%" as suggested by "Essa" in earlier comment.



    BR,
    -Sachin



    ------------------------------
    Sachin Marawar
    ------------------------------

    Original Message


  • 4.  RE: Guardium Policy design

    Posted 8 days ago

    Hi Essa Alshaikh Ali and Sachin Marawar 

    As Essa said "Pattern" should be the best option for such use-case.

    yesterday I designed this regex " ^(grant|revoke)\s+(SELECT|INSERT|UPDATE|DELETE|EXECUTE|REFERENCES|ALTER|CONTROL|TAKE OWNERSHIP|IMPERSONATE)(\s+(SELECT|INSERT|UPDATE|DELETE|EXECUTE|REFERENCES|ALTER|CONTROL|TAKE OWNERSHIP|IMPERSONATE))*(\s+\w+)+$"

    and it's matching the queries like "grant select insert update on employee to moaz" or "grant delete on employee to moaz" or "revoke select insert update on employee from moaz"

    I'm still trying to develop the regex to cover most queries options,

    thanks a lot for your help Essa and Sachin,

    Best regards,



    ------------------------------
    Moaz Saadeldin
    ------------------------------

    Original Message


  • 5.  RE: Guardium Policy design

    Posted 8 days ago

    Hi @Moaz Saadeldin,

    Such regexes are very not efficient. From other side since you wrote:

    we have a requirement to monitor  "Any action that grants or revokes object privileges from a role or account".

    You can save the effort using SLP criteria STATEMENT and define group with any desired content like:

    Thanks



    ------------------------------
    LEONID Rodniansky
    ------------------------------

    Original Message