All Products
Search
Document Center

Apply for Permission

Last Updated: Jun 29, 2020

In the Data Management Service (DMS) console, you can set security rules in the Apply for Permission module for validating applications for permissions, including permissions on instances, databases, and tables.

Background

By applying new security rules based on a domain-specific language (DSL), you can define risk levels for tickets so that a ticket can be directed to the approval process that is designed for the specified risk level. For example, you can set various security rules to regulate applications for permissions on instances. For more information about the DSL syntax, see DSL syntax for security rules.

Prerequisites

You are a DMS administrator, database administrator (DBA), or security administrator.

Basic configuration items

You can view the following eight basic configuration items on the Apply for Permission tab:

  • [Instance-permission application] default approval Template: the default approval template that takes effect if you do not set different approval processes for instance permission applications at different risk levels under the Validation for Instance Permission Application checkpoint. You can also change the default approval template. For more information, see Procedure of changing the default approval template.
  • [Library-permission application] default approval Template: the default approval template that takes effect if you do not set different approval processes for database permission applications at different risk levels under the Database Permission Application Validation checkpoint.
  • Table-permission request default approval Template: the default approval template that takes effect if you do not set different approval processes for table permission applications at different risk levels under the Table Permission Application Validation checkpoint.
  • [Programmable object-permission application] default approval Template: the default approval template that takes effect if you do not set different approval processes for programmable object permission applications at different risk levels under the Programmable object verification checkpoint.
  • [Field-permission application] default approval Template: the default approval template that takes effect if you do not set different approval processes for sensitive field permission applications at different risk levels under the Sensitive Field Application Validation checkpoint.
  • Line-permission application default approval Template: the default approval template that takes effect if you do not set different approval processes for row permission applications at different risk levels under the Line permission application verification checkpoint.
  • [Owner-application] default approval template (when the resource has no Owner): the default approval template that takes effect if you do not set different approval processes for data ownership applications at different risk levels under the Owner Application Validation checkpoint and the data involved in the application has no current owner.
  • [Owner-application] default approval template (when the resource has an Owner): the default approval template that takes effect if you do not set different approval processes for data ownership applications at different risk levels under the Owner Application Validation checkpoint and the data involved in the application has one or more current owners.

Checkpoints

When a user submits a ticket to apply for permissions, the system checks whether the ticket conforms to rules specified under checkpoints. The ticket can be submitted only after the system determines that the ticket conforms to all the rules specified under the checkpoints. DMS offers the following seven checkpoints for validating permission applications:

  • Owner Application Validation: Under this checkpoint, you can set approval processes or constraints for Instance-OWNER, Table-OWNER, and Database-OWNER tickets.

  • Validation for Instance Permission Application: Under this checkpoint, you can set approval processes or constraints for Instance-Performance and Instance-Login tickets.

  • Database Permission Application Validation: Under this checkpoint, you can set approval processes or constraints for Database-Permission tickets.

  • Table Permission Application Validation: Under this checkpoint, you can set approval processes or constraints for Table-Permission tickets.

  • Programmable object verification: Under this checkpoint, you can set approval processes or constraints for Programmable Object tickets.

  • Sensitive Field Application Validation: Under this checkpoint, you can set approval processes or constraints for Sensitive Column-Permission tickets.

  • Line permission application verification: Under this checkpoint, you can set approval processes or constraints for Row-Permission tickets.

    You can use the default rules provided by DMS, or set custom rules as required. For more information about how to create a security rule, see Procedure of creating a security rule.

Factors and actions

  • Factor: A factor is a system built-in variable that is used to obtain the context to be validated by security rules, such as the subcategories of SQL statements and the database name. A factor name starts with @fac., appended with the display name of the factor type. Each module of the Security Rules page offers different factors for different checkpoints. The following table describes the supported factors in the Apply for Permission module.

    Factor Description
    @fac.env_type
    The type of the environment. The value is the display name of the environment type, such as DEV and PRODUCT. For more information, see Change the environment type of an instance.
    @fac.schema_name
    The name of the database.
    @fac.perm_apply_duration
    The period of time during which the applicant needs the permission. Unit: hours.
    @fac.column_security_level
    The security level of the field. Valid values: sensitive, confidential, and inner.
  • Action: An action is the operation that the system performs after the conditions specified in the if statement are met. For example, the system can perform the relevant action to forbid the submission of a ticket, select an approval process, approve a ticket, or reject a ticket. Actions show the purpose of setting security rules. An action name starts with @act., appended with the display name of the action type. Each module of the Security Rules page offers different actions for different checkpoints. The following table describes the supported actions in the Apply for Permission module.

    Action Description
    @act.forbid_submit_order
    Forbids the ticket from being submitted.
    @act.do_not_approve Specifies the approval template. For more information, see Approval processes.
    @act.choose_approve_template
    @act.choose_approve_template_with_reason

Templates of security rules

DMS provides you with various system built-in templates of security rules. You can directly use the templates or modify the templates based on your business requirements. The following table describes the supported rule templates in the Apply for Permission module.

Checkpoint Feature of template
Owner Application Validation Specifies that application for the ownership of data in an online environment is not allowed.
Specifies that application for the ownership of data is not allowed.
Specifies that no approval is required for application for the ownership of data in an offline environment.
Database Permission Application Validation Specifies that application for permissions on a database is not allowed.
Specifies that application for permissions on a database in an online environment is not allowed.
Specifies that no approval is required for application for permissions on a database in an offline environment.
Table Permission Application Validation Specifies that application for permissions on a table is not allowed.
Specifies that application for permissions on a table in an online environment is not allowed.
Specifies that no approval is required for application for permissions on a table in an offline environment.
Programmable object verification Specifies that application for permissions on a programmable object is not allowed.
Specifies that application for permissions on a programmable object in an online environment is not allowed.
Specifies that no approval is required for application for permissions on a programmable object in an offline environment.
Sensitive Field Application Validation Specifies that application for permissions on a sensitive field is not allowed.
Sets an approval process for application for permissions on a confidential field.
Line permission application verification Specifies that application for permissions on a row is not allowed.
Specifies that application for permissions on a row in an online environment is not allowed.
Sets an approval process for application for permissions on a row.

Procedure of creating a security rule

  1. Log on to the DMS console.

  2. In the top navigation bar, choose System Management > Security > Security Rules.

  3. On the Security Rules page that appears, find the target rule set and click Edit in the Actions column.

  4. On the Details page that appears, click the Apply for Permission Application tab.

  5. On the Apply for Permission Application tab, click Create Rule next to Actions.

  6. In the Create Rule - Apply for Permission dialog box that appears, set the parameters as required. The following table describes the parameters.

    Parameter Description
    Checkpoints (Required)
    The checkpoint under which you want to create the security rule. The Apply for Permission module offers the following seven checkpoints:
    • Owner Application Validation
    • Validation for Instance Permission Application
    • Database Permission Application Validation
    • Table Permission Application Validation
    • Programmable object verification
    • Sensitive Field Application Validation
    • Line permission application verification
    Template Database (Optional)
    The template based on which you want to create the security rule. DMS provides you with various system built-in templates of security rules. After you select a checkpoint from the Checkpoints drop-down list, you can click Load from Template Database to select a template. For more information about the available templates, see Templates of security rules.
    Rule Name (Required) The name of the security rule. If you load a security rule from a template, the rule name is automatically filled in.
    Rule DSL (Required) The DSL statement used to set the security rule. For more information, see DSL syntax for security rules. If you load a security rule from a template, the statement is automatically filled in.
  7. Click Submit.

  8. Find the created security rule and click Enable in the Actions column. By default, the created security rule is in the Disabled state.

  9. In the message that appears, click OK.