In Data Management (DMS), you can enforce row-level access control on a table to protect the security of data rows in the table. You must be granted permissions on specific rows before you can access the rows.

Prerequisites

A database named poc_prod is created. For more information, see Design schemas.

Configure row-level access control

  1. Log on to the DMS console as a DMS administrator.
  2. In the top navigation bar, move the pointer over the More icon and choose System > Security > Sensitive Data.
  3. Click the Row Level Security tab on the left.
  4. Click Add control group. In the dialog box that appears, set the parameters that are described in the following table.
    Add control group dialog box
    Parameter Description
    Control Group The name of the control group.
    Row Configuration The name of the field that is used to manage row permissions. Select the database, table, and field in sequence. In this example, the sex field in the data_modify table of the poc_prod database is used.
    Note You can click Add to add multiple fields.
  5. Click Add.
  6. Find the control group that you created and click Details in the Actions column.
  7. In the Control value details panel, click Add Row Value and add the value to be managed.
  8. In the Import Row Value dialog box, set the parameters that are described in the following table.
    Add row values
    Parameter Description
    Append ? Valid values:
    • Yes: New values are added to the existing values.
    • No: Existing values are replaced with new values.
    Row Value Content The one or more values to be managed. In this example, enter male,female. This way, users must be granted permissions on the rows where the values of the sex field are male and female before they can query the data of the rows. Developers can apply for permissions on the rows as needed to query the data of the rows.
    Note You can add multiple values at a time. Separate multiple values with commas (,).
  9. Click Import.
    The sex field values that are used to manage row permissions are added.

Apply for row permissions

All users, including DMS administrators and database administrators (DBAs), must apply for permissions on specific rows before they can query the data of the rows. This example demonstrates how to apply for row permissions as a regular user.

  1. Log on to the DMS console as a regular user.
  2. In the top navigation bar, move the pointer over the More icon and choose Permission > Row-Permission.
  3. On the Permission Application Ticket tab, enter poc_prod as the database name, select Single as the granularity of the values based on which you want to apply for row permissions, and then click Search.
    Search for the values based on which you want to apply for row permissions
    Note You can apply for permissions based on the following value granularities:
    • ALL: You can apply for permissions on the rows where all values of the specified field reside.
    • Single: You can apply for permissions on the rows where the specified value of the specified field resides.
  4. Select the rule where the value of the sex field is male and click Add. The rule appears in the Selected Databases/Tables/Columns section.
  5. In the Select Permission section, set the parameters as required and click Submit. The following table describes the parameters.
    Parameter Description
    Permission The type of permission for which you want to apply. Valid values: Query, Export, and Change.
    Note You can select one or more permission types.
    Duration The validity period of the selected one or more permissions.
    Reason The description of the business background and the reason for this application. This reduces unnecessary communication and facilitates the approval process.
    Note After the ticket is submitted, wait for approval. You can view the status of the ticket in the My Tickets section of the Workbench tab.
  6. After the ticket is approved, query the data of managed rows on the SQLConsole tab.

    Only the rows where the value of the sex field is male are displayed.

    The rows where the value of the sex field is male are displayed

    You are not authorized to query the data of the rows where the value of the sex field is female.

    You are not authorized to query the data of the rows where the value of the sex field is female