All Products
Search

This Product

    Data Export

    Document Center

    Data Export

    Last Updated: May 19, 2022

    In the Data Management Service (DMS) console, you can set security rules in the Data Export module for validating the applicant’s permissions on involved databases, tables, sensitive fields, and rows during the submission and approval of data export tickets. This helps ensure data security.

    Prerequisites

    You are a DMS administrator, database administrator (DBA), or security administrator.

    Basic configuration items

    Data export default approval Template: the default approval template that takes effect if you do not set different approval processes for data export tickets at different risk levels under the Approval Rule Validation checkpoint. You can also change the default approval template. For more information, see Procedure of changing the default approval template.

    Checkpoints

    • Approval Rule Validation: Under this checkpoint, you can customize security rules to direct data export tickets to different approval processes. For example, you can direct tickets for exporting more than a certain number of rows of data to an approval process and other tickets to another approval process. You can also use the default approval template specified under Basic Configuration Item. For more information about how to create a security rule, see Procedure of creating a security rule.
    • Pre-check Validation: Under this checkpoint, you can customize security rules to determine whether to validate the applicant’s permissions on involved databases, tables, and sensitive fields. You can also use the default approval template specified under Basic Configuration Item. For more information about how to create a security rule, see Procedure of creating a security rule.

    Factors and actions

    • Factor: A factor is a system built-in variable that is used to obtain the context to be validated by security rules, such as the subcategories of SQL statements and the number of rows in which data is affected. A factor name starts with @fac., appended with the display name of the factor type. Each module of the Security Rules page offers different factors for different checkpoints. The following table describes the supported factors in the Data Export module.
    Factor Description
    @fac.env_type The type of the environment. The value is the display name of the environment type, such as DEV and PRODUCT. For more information, see Change the environment type of an instance.
    @fac.is_ignore_export_rows_check Indicates that the applicant skips checking the number of rows of data to be affected.
    @fac.export_rows The number of rows of data to be exported.
    @fac.include_sec_columns Indicates that the data to be exported contains sensitive fields.
    @fac.sec_columns_list The sensitive fields that require or do not require approval before being exported. Specify the sensitive fields in the Table name. Field name, [Table name. Field name, …] format.
    @fac.user_is_admin Indicates that the applicant is a DMS administrator.
    @fac.user_is_dba Indicates that the applicant is a DBA.
    @fac.user_is_inst_dba Indicates that the applicant is an instance DBA.
    @fac.user_is_sec_admin Indicates that the applicant is a security administrator.

    Action: An action is the operation that the system performs after the conditions specified in the if statement are met. For example, the system can perform the relevant action to forbid the submission of a ticket, select an approval process, approve a ticket, or reject a ticket. Actions show the purpose of setting security rules. An action name starts with @act., appended with the display name of the action type. Each module of the Security Rules page offers different actions for different checkpoints. The following table describes the supported actions in the Data Export module.

    Action Description
    @act.do_not_approve Allows the ticket to be processed without approval.
    @act.choose_approve_template Specifies an approval template.
    @act.choose_approve_template_with_reason Specifies an approval template with a reason provided.
    @act.forbid_submit_order Forbids the ticket from being submitted.
    @act.enable_check_permission Validates the applicant’s permissions on involved databases and tables.
    @act.disable_check_permission Does not validate the applicant’s permissions on involved databases and tables.
    @act.enable_check_sec_column Validates the applicant’s permissions on involved sensitive fields.
    @act.disable_check_sec_column Does not validate the applicant’s permissions on involved sensitive fields.

    Templates of security rules

    DMS provides you with various system built-in templates of security rules. You can directly use the templates or modify the templates based on your business requirements. The following table describes the supported rule templates in the Data Export module.

    Checkpoint Feature of template
    Pre-check Validation Determines whether to validate the applicant’s permissions on involved databases and tables.
    Determines whether to validate the applicant’s permissions on involved sensitive fields.
    Determines whether to validate the applicant’s permissions on involved rows.
    Approval Rule Validation Specifies the scenarios where no approval is required.
    Specifies the approval templates for specific scenarios.

    Procedure of changing the default approval template

    1. Log on to the DMS console.

    2. In the top navigation bar, choose System Management > Security > Security Rules.
      Security rules3

    3. On the Security Rules page that appears, find the target rule set and click Edit in the Actions column.

    4. On the Details page that appears, click the Data Export tab.
    5. On the Data Export tab, the basic configuration items appear by default.

    6. Find the Data export default approval Template configuration item and click Edit in the Actions column.
      edit

    7. In the Change Configuration Item dialog box that appears, click Switch Approval Template.

    8. In the Switch Approval Template dialog box that appears, find the target template and click Select in the Actions column.

      Note: You can also click Reset to Free of Approval to skip the approval for tickets.

    9. Click Submit.

    Procedure of creating a security rule

    1. Log on to the DMS console.
    2. In the top navigation bar, choose System Management > Security > Security Rules.
    3. On the Security Rules page that appears, find the target rule set and click Edit in the Actions column.
    4. On the Details page that appears, click the Data Export tab.

    5. On the Data Export tab, click Create Rule next to Actions.
      create

    6. In the Create Rule - Data Export dialog box that appears, set the parameters as required. The following table describes the parameters.

      Parameter Description
      Checkpoints (Required) The checkpoint under which you want to create the security rule. The Data Export module offers the following two checkpoints:
      • Pre-check Validation
      • Approval Rule Validation
      Template Database (Optional) The template based on which you want to create the security rule. DMS provides you with various system built-in templates of security rules. After you select a checkpoint from the Checkpoints drop-down list, you can click Load from Template Database to select a template. For more information about the available templates, see Templates of security rules.
      Rule Name (Required) The name of the security rule. If you load a security rule from a template, the rule name is automatically filled in.
      Rule DSL (Required) The DSL statement used to set the security rule. For more information, see DSL syntax for security rules. If you load a security rule from a template, the statement is automatically filled in.

    7. Click Submit.

    8. Find the created security rule and click Enable in the Actions column. By default, the created security rule is in the Disabled state.
    9. In the message that appears, click OK.