Subscribe Using Email

Monday, March 13, 2017

Guardium's Groupy Action at a Distance

by John Haldeman, Enterprise Architect

I've heard this a lot lately:
I updated my group and reinstalled my policy, but the change to the group doesn't look like it was applied.
(Note: See correction below. This doesn't apply to policies but only to reports)

Well, this could be a result of a recent change to how groups work in Guardium. The best thing about it is that reports that use a lot of group members are going to run faster (especially if the CM is far away from the unit running the report). The worst thing about it is that you need to know more about how things work in order to see your changes applied immediately.


How it used to work is that if you modified a group from any appliance you would just need to reinstall the policy. The image on the central manager was indistinguishable from the image on the collector (this seems to have been done with something like a db link for those interested in mechanics). The new behavior is that the groups used in policies and reports are locally stored on the managed unit. If you edit a group from a managed unit you are still editing the central management's view of the group, but that's not the image used in policies and reports - a local image is used.

The upshot is that if you want the group membership to be reflected on the managed unit, you need to first synchronize the group definition with the managed unit in question. How do you do that? Well, you can use portal user sync:
https://www.ibm.com/support/knowledgecenter/SSMPHH_10.1.0/com.ibm.guardium.doc.admin/aggregate_cm/synchronizing_portal_user_accounts.html
Quote the manual:
some other definitions that are required for local processing (Groups and Group members, Audit processes, Aliases, and more) are also copied. The managed units then update their internal databases on an hourly basis. 
Wait, I can run portal user sync to get the data down to my collector, but the change only happens hourly after that anyway? (this, by the way, is why your password changes don't get immediately applied after a portal synch as well). What if I want the change reflected immediately?

The good news is you can! This is done with the special "Refresh" button under central management, which does much more than simply refresh your list of appliances. In fact, aside from group synchronization, it also does things like synchronize your custom table definitions between appliances and force a pure user synchronization. I think it does much more as well but I haven't seen a complete list. At least now you know three of the things it does!

Magic "Refresh" button in Manage > Central Management > Central Management does much more than refresh the view

Hope you find that useful.


*UPDATE* Yosef Rozenblit and Vinay Vijayadharan provided some great comments on the behavior in the comment section and on Linked In. This does not seem to apply to policy installation. I tested it more carefully in our lab and on close inspection they are right - it only applies to reports. Thanks for the thoughtful feedback Yosef and Vinay!






1 comment: