Imperva Blog|Login|中文Deutsch日本語
User Rights Management for Databases

Mitigate Risk and Pass Audits

User rights management and the identification of excessive rights over sensitive data is required by various industry regulations and is an established best practice. With effective user rights management customers can reduce the risk of a data breach.

User Rights Management for Databases (URMD) enables automatic aggregation and review of user rights, focused analysis of rights to sensitive data and the identification of excessive rights and dormant users based on organizational context and actual usage. Using URMD, organizations can demonstrate compliance with regulations such as SOX, PCI 7, and PCI 8.5 and reduce the risk of data breach. URMD is an add-on option to Imperva's Database Security Products.

Key Capabilities
Automate the aggregation, consolidation and reporting on user access rights across heterogeneous enterprise databases
Analyze user access rights associated with sensitive data that represents the highest business risk
Determine if user access rights are appropriately defined, find separation of duties issues and remove excessive rights that are not required for users to do their job
Understand how access rights are actually used via integration with SecureSphere Database Activity Monitoring (DAM) and identify dormant rights and user accounts
Manage a review cycle for approving changes to user rights

To learn more, click on the Capabilities tab.

Audit: Aggregate and Report on Access Rights across Databases

User Rights Management for Databases (URMD) streamlines the process of aggregating, consolidating and reporting on user access rights across heterogeneous enterprise databases. The automated audit process significantly reduces the time and resources required for gathering user rights. Consolidated reports provide a full overview of user rights across all databases and enable reviewers to focus on changes since the last review.

Investigate: Does the User have Access to Sensitive Data?

SecureSphere enables organizations to map out databases and discover where sensitive data resides on the corporate network. Data Classification provides insight into the different types of sensitive data that are stored in database objects. URMD correlates the user rights with information about the object’s sensitivity, allowing organizations to focus on analyzing access rights to sensitive data which represents the highest business risk.

Validate: Should the User Have Access to Sensitive Data?

Access to sensitive objects needs to be granted based on ‘Need-To-Know’ which is typically defined by the users’ organizational context. By adding details such as the user role and department, reviewers have full visibility into the user job function and the type of data he/she can access. URMD's analytical views provide reviewers with the ability to determine if the user access rights are appropriately defined and enable the removal of excessive rights that are not required for the users to do their job.

Mitigate: Remove Excessive Rights and Dormant Users

When SecureSphere Database Activity Monitoring (DAM) is deployed in conjunction with URMD, it is possible to track the actual usage of database objects by different users. A combined report showing the user, its organizational role, the type of data the user is allowed to access and the actual usage of that data, helps identify dormant users and un-used access rights. Such rights can now be safely removed from the database and reduce the risk of exploitation.

Manage: Built-In Workflow for Reviewing and Approving User Rights

With Imperva URMD organizations can easily demonstrate an automatic, repeatable process for reviewing access rights as required by regulations like PCI DSS and SOX. Imperva URMD includes a work-flow framework to support user rights review and authorization processes. URMD provides a full audit trail of the right granted/revoked including the grantee and granted details. Administrators can accept or reject privileges and add comments to explain the decision. When further action is required, a task can be assigned and its status is tracked within SecureSphere.

User Rights Management for Databases Specifications

Specification Description
Supported Database Platforms
  • Oracle
  • Oracle Exadata
  • Microsoft SQL Server
  • IBM DB2 (on LUW)
Centralized User Rights Management
  • Aggregates user rights across all corporate databases into a single repository for centralized management
Access Rights Review
  • Enables automated, repeatable process for reviewing user access rights
Excessive User Rights Analysis
  • Supports comprehensive investigation of excessive
  • User rights
LDAP integration
  • Add user organizational details (role, department, manager, etc.) to help validate access base on 'need-to-know'
Pre-defined reports
  • Canned reports show effective user rights, permission grants, role grants, unapproved rights and unused rights
Compliance Reports
  • Compliance Report streamline reporting on user access rights to sensitive data. User Rights Change Log demonstrates the existence of a user rights review process.
Custom Reports
  • Custom reports can be easily created to document analysis results
Authorization Workflow
  • Authorize or request to revoke user access rights based on analysis results
  • Add on option to all SecureSphere Database Security product platforms including virtual platforms
Licensing Options
  • Time based licenses: expire 30 days after activation
  • Perpetual licenses: no expiration date
When integrated with Database Activity Monitoring or Database Firewall:
Rights usage Analysis
  • See how often user rights are used and last usage date
Dormant Rights
  • Find users who haven’t used their privileges for a while
Dormant Accounts
  • Shows the last time an account has been active on the database