Objects are added, changed and removed from Object Groups using discovery rules.
To be able to add objects to an Object Group, this group needs to exist first, which is the reason why one needs to follow the steps in the following HowTo Guide first to be able to follow the steps in this Guide: Add an Object Group
¶ 1 Add objects to an Object Group
After successfully creating an Object Group, one can add objects to said group using the API_SCURTY.ADD_OB_OBJ_DISCOVER_RULE script. Objects are added using rules, written as regular expressions, for including and excluding schemas, objects and comments from the Object Group. To be able to add objects to a specific Object Group the exact name of said group needs to be provided to the beforementioned script. While the inclusion patterns are mandatory, the exclusion patterns are optional. However, one has to be careful when choosing the inclusion patterns as all inclusion patterns will default to '.*' including all schemas, objects and comments when not properly set. Adding a rule comment is also optional.
¶ Example
EXCUTE SCRIPT API_SCURTY.ADD_OG_OBJ_DISCOVER_RULE (
'TEST_OG' -- p_object_group
,'PSV_TEST_(TA|DR)' -- p_schema_incl_pattern
,null -- p_schema_excl_pattern
,'.*_TAB.*' -- p_object_incl_pattern
,null -- p_object_excl_pattern
,'.*' -- p_comment_incl_pattern
,null -- p_comment_excl_pattern
,'test-tabs' -- p_rule_comment
);
After issuing this command, an entry will be added to the table SCURTY.REP_OG_OBJ_DISCOVER_RULES and the view SCURTY.REP_OBJECT_MAP_V.
SCURTY.REP_OG_OBJ_DISCOVER_RULES
| RULE_ID | OBJECT_GROUP | SCHEMA_ INCL_ PATTERN | SCHEMA_ EXCL_ PATTERN | OBJECT_ INCL_ PATTERN | OBJECT_ EXCL_ PATTERN | COMMENT_ INCL_ PATTERN | COMMENT_ EXCL_ PATTERN | RULE_ COMMENT |
|---|---|---|---|---|---|---|---|---|
| 66 | TEST_OG | PSV_TEST_(TA|DR) | (null) | .*_TAB.* | (null) | .* | (null) | test-tabs |
SCURTY.REP_OBJECT_MAP_V
| OBJECT_GROUP | OBJECT_SCHEMA | OBJECT_NAME | OBJECT_TYPE | LVL |
|---|---|---|---|---|
| TEST_OG | PSB_TEST_TA | TEST_TAB | VIEW | 1 |
| TEST_OG | PSA_TEST | TEST_TAB | TABLE | 2 |
| TEST_OG | PSA_TEST | TEST_TAB | TABLE | 3 |
| TEST_OG | PSV_TEST_DR | TEST_TAB | VIEW | 0 |
| TEST_OG | PSB_TEST_DR | TEST_TAB | VIEW | 2 |
| TEST_OG | PSB_TEST_DR | TEST_TAB | VIEW | 1 |
| TEST_OG | PSV_TEST_TA | TEST_TAB | VIEW | 0 |
¶ 2 Change which objects should belong to an Object Group
To change which objects should belong to a specific Object Group, one can use the script API_SCURTY.CHANGE_OG_OBJ_DISCOVER_RULES which allows to add and remove objects from an Object Group by modifying the inclusion and exclusion patterns of the discovering rule. One can also modify the rule comment. For the script to be able to do any changes to the already set discover rules, one has to provide the rule-id which has been assigned during creation. It can be found in the table SCURTY.REP_OG_OBJ_DISCOVER_RULES. By providing the value NULL to the script for any of the parameters, the already saved parameter value will be kept.
¶ Example
EXECUTE SCRIPT API_SCURTY.CHANGE_OG_OBJ_DISCOVER_RULE(
66 -- p_rule_id
,null -- p_schema_incl_pattern
,'PSV_TEST_TA' -- p_schema_excl_pattern
,null -- p_object_incl_pattern
,null -- p_object_excl_pattern
,null -- p_comment_incl_pattern
,null -- p_comment_excl_pattern
,'change-test' -- p_rule_comment
);
In this example only the schema exclusion pattern and the rule comment are being modified, while the rest of the parameter values stay the same, due to the values being set to null in this change operation. With this call a schema exclusion pattern has been added.
The changed discover rule can be found in the table SCURTY.REP_OG_OBJ_DISCOVER_RULES and the changes in the objects belonging to the 'TEST_OG' Object Group can be found in the view SCURTY.REP_OBJECT_MAP_V.
SCURTY.REP_OG_OBJ_DISCOVER_RULES
| RULE_ID | OBJECT_GROUP | SCHEMA_ INCL_ PATTERN | SCHEMA_ EXCL_ PATTERN | OBJECT_ INCL_ PATTERN | OBJECT_ EXCL_ PATTERN | COMMENT_ INCL_ PATTERN | COMMENT_ EXCL_ PATTERN | RULE_ COMMENT |
|---|---|---|---|---|---|---|---|---|
| 66 | TEST_OG | PSV_TEST_(TA|DR) | PSV_TEST_TA | .*_TAB.* | (null) | .* | (null) | change-test |
SCURTY.REP_OBJECT_MAP_V
| OBJECT_GROUP | OBJECT_SCHEMA | OBJECT_NAME | OBJECT_TYPE | LVL |
|---|---|---|---|---|
| TEST_OG | PSA_TEST | TEST_TAB | TABLE | 2 |
| TEST_OG | PSV_TEST_DR | TEST_TAB | VIEW | 0 |
| TEST_OG | PSB_TEST_DR | TEST_TAB | VIEW | 1 |
¶ 3 Remove Object Discover Rule
By removing the object discover rule, this also removes any object associated to the Object Group, which have been added through this rule. An object discover rule can be removed using the script API_SCURTY.REMOVE_OG_OBJ_DISCOVER_RULE. For this script only the rule id of the discover rule which should be removed is needed.
¶ Example
EXECUTE SCRIPT API_SCURTY.REMOVE_OG_OBJ_DISCOVER_RULE(
66 -- p_rule_id
);
After successfully removing the rule and therefore all objects associated to the Object Group via this rule, the entry for this rule in the table SCURTY.REP_OG_OBJ_DISCOVER_RULES as well as all entries belonging to the 'TEST_OG' Object Group in the view SCURTY.REP_OBJECT_MAP_V should be gone.