Security rules use a domain-specific language (DSL) to achieve the fine-grained management of databases. These rules allow you to manage Data Management (DMS) features such as querying, exporting, and changing data. This way, you can formulate operation guidelines and define development processes for your databases.

Scenarios

Scenario Solution
You must use external communication systems such as email and instant messaging (IM) services to communicate with others. In addition, you must manually apply data changes. An online process management system is required.
  • Security rules integrate development standards, development processes, and approval processes and coordinate DMS features to achieve collaboration between multiple developers.
  • Security rules support various SQL engines. You can customize security rules to check and manage SQL statements as needed.
  • Security rules provide a powerful approval feature. You can customize approval processes based on different user behavior.
You want to manage the development process of databases to ensure schema consistency between databases in different environments. For example, design and verify a database in a development environment and publish the database to a joint debugging and test environment. After the joint debugging and test, publish the database to a staging environment. After the database is verified in the staging environment, publish the database to a production environment.
You want to manage the standards for schema design in databases. For example, a table must be created with a primary key, and a field that is added to an existing table cannot be empty.
You do not allow the execution of high-risk SQL statements, such as the SQL statements that are used to delete data or tables. Only SELECT statements are allowed.
You want differentiated approval processes for database operations. For example, no approval is required for writing data, the approval of a business manager is required for changing 10,000 data records or less, and the approval of a business manager and a database administrator (DBA) is required for changing more than 10,000 data records.
You want differentiated approval processes for granting permissions on databases. For example, no approval is required for granting permissions on databases in a test environment, and the approval of a business manager is required for granting permissions on databases in a production environment.

Supported database engines

The following database engines are supported:
  • MySQL series: native MySQL, ApsaraDB RDS for MySQL, PolarDB for MySQL, PolarDB-X, AnalyticDB for MySQL, and ApsaraDB OceanBase for MySQL
  • PostgreSQL series: native PostgreSQL, PolarDB for PostgreSQL, and AnalyticDB for PostgreSQL
  • Oracle series: native Oracle, ApsaraDB OceanBase for Oracle, and PolarDB-O
  • SQL Server
  • MariaDB
  • Data Lake Analytics (DLA)
  • Redis
  • MongoDB
  • MaxCompute
  • HBase
  • ClickHouse

Usage notes

You are authorized to perform the operations described in this topic only as a DBA or DMS administrator.

Create security rules

You can create multiple security rules for databases in different environments.

  1. Log on to the DMS console.
  2. In the top navigation bar, move the pointer over the More icon and choose System > Security Rules. The Security Rules tab appears.
  3. In the upper-left corner, click Create Rule Set.
  4. In the dialog box that appears, set the parameters that are described in the following table.
    Create Rule Set
    Parameter Description
    Engine Type The database engine for which you want to create a security rule set.
    Rule Set Name The name of the rule set.
    Remarks The information about the rule set for easy identification. For example, you can enter the applicable scope of the rule set.
  5. Click Submit.
    On the Details tab, configure security rules as needed. You can also use the default configurations of security rules.

    For example, you can disable the Whether the result set supports export rule on the SQLConsole tab. By default, this rule is enabled. After this rule is disabled, you cannot export the result sets that are returned in the SQLConsole after you perform queries on databases that run the specified engine.

    Note For more information about the syntax of security rules, see DSL syntax for security rules. Security rules have different configuration items for different modules. For more information, see the following topics:

Change the security rules of a database instance

Note This section applies only to database instances whose control mode is Security Collaboration. Database instances whose control mode is Flexible Management or Stable Change must use the default security rules. You cannot change the security rules.
  1. Log on to the DMS console.
  2. Change the security rules of a database instance.
    • Method 1:
      1. In the left-side navigation pane, right-click the database instance that you want to manage. In the shortcut menu that appears, choose Control Mode > Security Collaboration and select the security rule set that you want to apply to the instance.
    • Method 2:
      1. In the top navigation bar, move the pointer over the More icon and choose System > Instance. The Instance List tab appears.
      2. Select the database instances that you want to manage and click Batch edit in the upper part of the page.
        Note You can select multiple database instances that run the same database engine at a time.
      3. In the Edit instance information in batches dialog box, set the Control Mode parameter to Security Collaboration.
      4. Select a security rule set from the Security Rules drop-down list to apply the security rule set to the instances.