All Products
Search
Document Center

Sensitive Column Change

Last Updated: Jul 27, 2020

This topic describes how to set approval processes for tickets that apply to change security levels of sensitive fields in the Data Management Service (DMS) console.

Basic configuration items

Sensitive column default approval Template: the default approval template that takes effect if you do not set approval processes for tickets that apply to change security levels of sensitive fields under the Approval Rule Validation checkpoint. You can also change the default approval template. For more information, see Procedure of changing the default approval template.

Checkpoint

When a user submits a ticket to change the security level of a sensitive field, the system checks whether the ticket conforms to rules specified under the Approval Rule Validation checkpoint. Under this checkpoint, you can customize security rules to direct tickets to different approval processes. You can use the default rules provided by DMS, or set custom rules as required. For more information about how to create a security rule, see Procedure of creating a security rule.

Factors and actions

  • Factor: A factor is a system built-in variable that is used to obtain the context to be validated by security rules, such as the subcategories of SQL statements and the number of rows in which data is affected. A factor name starts with @fac., appended with the display name of the factor type. Each module of the Security Rules page offers different factors for different checkpoints. The following table describes the supported factors in the Sensitive Column Change module.
Factor Description
@fac.column_level_change_type The type of security level change that the applicant wants to perform on the sensitive field. Valid values:
  • upper: Raise the current security level, including the following three cases:
    • From inner to sensitive
    • From inner to confidential
    • From sensitive to confidential
  • sensitive_to_internal: Lower the security level from sensitive to inner.
  • confidential_to_sensitive: Lower the security level from confidential to sensitive.
  • confidential_to_internal: Lower the security level from confidential to inner.

Action: An action is the operation that the system performs after the conditions specified in the if statement are met. For example, the system can perform the relevant action to forbid the submission of a ticket, select an approval process, approve a ticket, or reject a ticket. Actions show the purpose of setting security rules. An action name starts with @act., appended with the display name of the action type. Each module of the Security Rules page offers different actions for different checkpoints. The following table describes the supported actions in the Sensitive Column Change module.

Action Description
@act.forbid_submit_order Forbids the ticket from being submitted. The statement is in the following format: @act.forbid_submit_order ‘Reasons for forbidding submitting the ticket’.
@act.do_not_approve Specifies the approval template. For more information, see Approval processes.
@act.choose_approve_template
@act.choose_approve_template_with_reason

Templates of security rules

DMS provides you with various system built-in templates of security rules. You can directly use the templates or modify the templates based on your business requirements. The following table describes the supported rule templates in the Sensitive Column Change module.

Checkpoint Feature of template
Approval Rule Validation
Specifies that no approval is required for raising the security level of a sensitive field.
Sets an approval process for lowering the security level of a sensitive field from sensitive to inner.
Sets an approval process for lowering the security level of a sensitive field from confidential to sensitive.
Sets an approval process for lowering the security level of a sensitive field from confidential to inner.

Procedure of changing the default approval template

  1. Log on to the DMS console.
  2. In the top navigation bar, choose System Management > Security > Security Rules.
    Security rules3
  3. On the Security Rules page that appears, find the target rule set and click Edit in the Actions column.
  4. On the Details page that appears, click the Sensitive Column Change tab.
  5. On the Sensitive Column Change tab, the basic configuration items appear by default.
  6. Find the Sensitive column default approval Template configuration item and click Edit in the Actions column.
    edit
  7. In the Change Configuration Item dialog box that appears, click Switch Approval Template.
  8. In the Switch Approval Template dialog box that appears, find the target template and click Select in the Actions column.

    Note: You can also click Reset to Free of Approval to skip the approval for tickets.

  9. Click Submit.

Procedure of creating a security rule

  1. Log on to the DMS console.
  2. In the top navigation bar, choose System Management > Security > Security Rules.
  3. On the Security Rules page that appears, find the target rule set and click Edit in the Actions column.
  4. On the Details page that appears, click the Sensitive Column Change tab.
  5. On the Sensitive Column Change tab, click Create Rule next to Actions.
    create

  6. In the Create Rule - Sensitive Column Change dialog box that appears, set the parameters as required. The following table describes the parameters.

    Parameter Description
    Checkpoints (Required) The checkpoint under which you want to create the security rule. The Approval Rule Validation checkpoint is provided in the Sensitive Column Change module.
    Template Database (Optional) The template based on which you want to create the security rule. DMS provides you with various system built-in templates of security rules. After you select a checkpoint from the Checkpoints drop-down list, you can click Load from Template Database to select a template. For more information about the available templates, see Templates of security rules.
    Rule Name (Required) The name of the security rule. If you load a security rule from a template, the rule name is automatically filled in.
    Rule DSL (Required) The DSL statement used to set the security rule. For more information, see DSL syntax for security rules. If you load a security rule from a template, the statement is automatically filled in.
  7. Click Submit.

  8. Find the created security rule and click Enable in the Actions column. By default, the created security rule is in the Disabled state.
  9. In the message that appears, click OK.