Guardium Entitlement Reports are a useful feature that help you determine what privileges have been assigned in your databases. It's primary value is in helping you create standardized reporting for entitlements based on the database catalog information in each database without you having to create custom scripts.
This being said, that's all Guardium does - query the database catalogs of the databases you register and shows you that information. Certain database types, MS SQL Server for instance, may obscure who the end user that has a certain privilege is because the database catalog just has a listing for the groups assigned, not the users in those groups. An example is show in figure 1. A role for a MS SQL Server database is shown to be assigned to a WINDOWS_GROUP. Invariably, the next question becomes: who is in that Windows group, and can I see that information in the same report set and environment I am getting delivered to me anyway rather than having to look up the information in my corporate directory server separately.
Figure 1: A Guardium Entitlement Report showing a role assigned to two groups: TESTDIR\testgroup1 and TESTDIR\testgroup2 - Who are the users in those groups? |
Building a report on that group membership is what this post is all about. You should be warned though: Guardium is not very good at this. In this post you will see mechanisms to try and help make this happen but keep in mind that these mechanisms were not originally designed to fulfill this specific use case. So, it may start to feel a little awkward in making this happen.
Before we go into specifics, here is an overview of what needs to be done. Figure 2 outlines the process.
Figure 2: Process for Active Directory and LDAP Group Membership Reporting in Guardium |
This example is built for MS SQL Server and Active Directory, but the same principles would apply for other database and directory server types. The first task to to take the entitlement report that you are seeing the groups listed in and create a special custom column to flip the domain and group names in the reported values. This will seem strange, but the reasons will become apparent later. Then populate a "bindValues" group to contain all of the groups you are interested in. This group can be populated automatically from the entitlement report using Guardium's "Populate From Query" function and the specialized column you created to switch the domain and group name. Next, populate a regular group to use the bindValues group and set it up to populate from LDAP. The end results will be members of that group that will show the group name following by a backslash ("\") followed by the member of the group. Finally build a report on that group to show what end user is in each active directory group.
Step 1: The Entitlement Report and Custom Column
For this example, let's use the "mssql2005/8 Role Granted To User And Role" built-in entitlement report. That is the same report pictured previously in Figure 1. Build a custom computed column on that entitlement report using the following grdapi call:grdapi create_computed_attribute expression="concat(substring_index(Grantee, CHAR(92), -1), CHAR(92), substring_index(Grantee, CHAR(92), 1))" entityLabel="MSSQL2005/8 Role Granted To User And Role" attributeLabel=GroupUserFlipAll the expression does is, for values that contain a backslash, have the values before and after the slash trade places (eg: "DOMAIN\group_name" becomes "group_name\DOMAIN"). This creates a new column in the "MSSQL2005/8: Role Granted To User And Role" domain called GroupUserFlip. Next, create a query that includes that new column and limits the output to just WINDOWS_GROUP values (see Figure 3). You can create a report like this by accessing as admin: Tools --> Report Building --> Custom Query Buider --> MSSQL2005/8: Role Granted To User And Role --> New, or by cloning and modifying the existing entitlement report built off that domain.
Figure 3: Report With New Custom Computed Column and WINDOWS_GROUP Filter |
Step 2: Create and Populate the bindValues Group
Create and Configure a new group as an OBJECTS type group. Call the group "- AD Group Membership_bindValues". Next, in the group builder, select the group and click "Populate From Query". Then configure that population process according to what is shown in Figure 4. You will populate the group based on the query and new custom column you created in Step 1.
Figure 4: Populating the bindValues Group Based on the Query and Customer Computed Attribute Created in Step 1 |
Step 3: Configure the LDAP/AD Import
Now that the bindValues group is created, you can create another group that will use that group's content as parameters in it's LDAP/AD queries. Create this new group with a type of "USERS" and name it "- AD Group Membership" (note that it has the same name as the group in Step 2, without the "_bindValues" prefix - if you are using your own group names, just follow that convention). Configure the LDAP Import for this group similarly to what is pictured in Figure 4.Figure 4: LDAP Group Import Configuration |
memberof=CN=:2,CN=Users,DC=:1,DC=infoinsightsllc,DC=comOf course, your configuration is likely to be different, but the important part in the search filter is that ":2" is located where you would normally put in a group name for an LDAP import, and ":1" is located where you normally specify the Active Directory domain you are working with. If you specify the search filter correctly, and run the import, it results in entries similar to Figure 5, showing the AD group names before the backslash in each entry, and the AD group member after the backslash.
Step 4: Reporting on the Imported Group Membership Information
The final step is to build a report on those imported group members. To do that, build a report on group membership by logging in as a user that is assigned admin and navigating to Tools --> Report Building --> Group Tracking. Create the query similar to that shown in Figure 6.Figure 6: Report on Group Membership |
Figure 7 is the result that you can then apply filters to and/or schedule to put into an audit process for regular delivery with the rest of your entitlement reports.
Figure 7: The Final Result Showing Active Directory Group Membership for the Groups in Our Original Entitlement Report |
No comments:
Post a Comment