Guardium Entitlement Reports are a useful feature that help you determine what privileges have been assigned in your databases. It's primary value is in helping you create standardized reporting for entitlements based on the database catalog information in each database without you having to create custom scripts.
This being said, that's all Guardium does - query the database catalogs of the databases you register and shows you that information. Certain database types, MS SQL Server for instance, may obscure who the end user that has a certain privilege is because the database catalog just has a listing for the groups assigned, not the users in those groups. An example is show in figure 1. A role for a MS SQL Server database is shown to be assigned to a WINDOWS_GROUP. Invariably, the next question becomes: who is in that Windows group, and can I see that information in the same report set and environment I am getting delivered to me anyway rather than having to look up the information in my corporate directory server separately.
|Figure 1: A Guardium Entitlement Report showing a role assigned to two groups: TESTDIR\testgroup1 and TESTDIR\testgroup2 - Who are the users in those groups?|
Building a report on that group membership is what this post is all about. You should be warned though: Guardium is not very good at this. In this post you will see mechanisms to try and help make this happen but keep in mind that these mechanisms were not originally designed to fulfill this specific use case. So, it may start to feel a little awkward in making this happen.