Enforce row-level access control - Data Management - Alibaba Cloud Documentation Center

In Data Management (DMS), you can enforce row-level access control on a table to protect the security of data rows in the table. You must be granted permissions on specific rows before you can access the rows.

Prerequisites

A database named poc_prod is created. For more information, see Design schemas.

Configure row-level access control

Log on to the DMS console as a DMS administrator.
In the top navigation bar, move the pointer over the More icon and choose System > Security > Sensitive Data.
Click the Row Level Security tab.

Click Add control group. In the dialog box that appears, set the parameters that are described in the following table.


Parameter	Description
Control Group	The name of the control group.
Row Configuration	The name of the field that is used to manage row permissions. Select the database, table, and field in sequence. In this example, the `sex` field in the `data_modify` table of the `poc_prod` database is used. Note You can click Add to add multiple fields.

Click Add.
Find the control group that you created and click Details in the Actions column.
In the Control value details panel, click Add Row Value and add the value to be managed.

In the Import Row Value dialog box, set the parameters that are described in the following table.


Parameter	Description
Append ?	Valid values: Yes: New values are added to the existing values. No: Existing values are replaced with new values.
Row Value Content	The values to be managed. In this example, enter `male,female`. This way, users must be granted permissions on the rows where the values of the sex field are `male` and `female` before they can query the data of the rows. Developers can apply for permissions on the rows as needed to query the data of the rows. Note You can add multiple values at a time. Separate multiple values with commas (,).

Click Import.
The sex field values that are used to manage row permissions are added.

Apply for row permissions

All users, including DMS administrators and database administrators (DBAs), must apply for permissions on specific rows before they can query the data of the rows. This example demonstrates how to apply for row permissions as a regular user.

Log on to the DMS console as a regular user.
In the top navigation bar, move the pointer over the More icon and choose Permission > Row-Permission.
On the Permission Application Ticket page, enter poc_prod as the database name, select Single as the granularity of the values based on which you want to apply for row permissions, and then click Search.
Note You can apply for permissions based on the following value granularities:
- ALL: You can apply for permissions on the rows where all values of the specified field reside.
- Single: You can apply for permissions on the rows where the specified value of the specified field resides.
Select the rule where the value of the sex field is male and click Add. The rule appears in the Selected Databases/Tables/Columns section.

In the Select Permission section, set the parameters that are described in the following table and click Submit.


Parameter	Description
Permission	The type of permission for which you want to apply. Valid values: Query, Export, and Change. Note You can select one or more permission types.
Duration	The validity period of the selected permissions.
Reason	The description of the business background and the reason for this application. This reduces unnecessary communication and facilitates the approval process.

Note After the ticket is submitted, wait for approval. You can view the status of the ticket in the My Tickets section of the Workbench tab.

After the ticket is approved, query the data of managed rows on the SQLConsole tab.

Only the rows where the value of the sex field is male are displayed.
You are not authorized to query the data of the rows where the value of the sex field is female.