GBDI 4.2

Groups

In addition to the main data collections described in the GBDI Data Model documentation, you can create any data set within the GBDI warehouse for enriching your reports and data.

One special collection is the group_members collection. This collection maintains group information and is part of the data extracts processed by GBDI; rather than being populated within the GBDI application, it serves as a copy of your existing Guardium group definitions. Usually these extracts will come directly from the CM, since all appliances sync from the CM; however, you can choose to receive it from any Guardium appliance.

All predefined reports allow you to select data using either a regular expression or by selecting a group of USERS, OBJECTS or COMMANDS, or a combination of the two approaches.

For power users who use JSON Studio to design new queries and reports, a built in operator called GUARDIUM_GROUPS is available from the operator pull down in both the Finder and the Aggregation Builder, creating the appropriate query to retrieve group data as a subquery.

In addition, when working within JSON Studio you can use the shorthand of:

"$$LMRM_GG$<field name>$<group name>$"

Note

This must be placed as the RHS of an expression so that you would wrap it in $or or $and (even if there is only one group in the search). For example, to query all sessions where the DB User Name is within a group and the OS User Name is within a group, use:

$and: ["$$LMRM_GG$DB User Name$Admin Users$", "$$LMRM_GG$OS User Name$Root Users$"]

Note also that group descriptions that have quotes within them cannot be used in predefined reports.

When you want to create a report that has a group as a parameter (i.e. letting the user select the group), create the query pipeline and when publishing the URL enter the group TYPE in the value, and check as As Group? checkbox, e.g.:

UUID-6029638c-364a-fb0b-7507-c36696714363.png