Data export - Data Management - Alibaba Cloud Documentation Center

Data Management (DMS) allows you to manage security rules on the Data Export tab to validate the permissions of data export applicants on the databases, tables, sensitive fields, and rows involved in data export operations after the applicants submit data export tickets. This helps ensure data security.

Prerequisites

You are a DMS administrator, DBA, or security administrator. For more information about how to view the system roles of users, see View system roles.

Precautions

You can set approval processes only for instances whose control mode is Security Collaboration. For more information, see Modify the default approval template.

Basic configuration items

You can configure approval processes for data export tickets at different risk levels under the approval rule validation checkpoint. If you do not configure an approval process, the default approval template is used. You can change the approval process of the default approval template by clicking Switch Approval Template. For more information, see Modify the default approval template.

Checkpoints

Approval Rule Validation: Allows you to submit data export tickets to different approval processes by configuring security rules. For example, tickets for exporting more than a certain number of data rows are submitted to one approval process and other tickets are submitted to another approval process. You can also use the Default approval template for data export under Basic Configuration Item. For more information, see Create a rule.
Pre-check Validation: Allows you to configure custom security rules to specify whether to validate the permissions of applicants on involved databases, tables, sensitive fields, and rows. You can also use the Default approval template for data export under Basic Configuration Item. For more information, see Create a rule.

Factors and actions

Factors

A factor is a predefined variable in DMS. You can use factors to obtain the context to be validated by security rules. The context includes SQL statement categories and the number of rows to be affected. A factor name consists of the prefix @fac. and the display name of the factor. Each module of the Security Rules tab provides different factors for different checkpoints. The following table describes the factors provided for the checkpoints in Data Export.


@fac.env_type	The type of the environment. The value is the display name of the environment type, such as `DEV` or `PRODUCT`. For information about more environment types, see Environment types.
@fac.is_ignore_export_rows_check	A Boolean value that indicates whether to skip the check on the number of rows to be affected.
@fac.export_rows	The number of rows to be exported.
@fac.include_sec_columns	A Boolean value that indicates whether the data to be exported contains sensitive fields.
@fac.sec_columns_list	The sensitive fields contained in the data to be exported. The fields are listed in the format of `table name.field name, [table name.field name, ...]`.
@fac.user_is_admin	A Boolean value that indicates whether the applicant is a DMS administrator.
@fac.user_is_dba	A Boolean value that indicates whether the applicant is a DBA.
@fac.user_is_inst_dba	A Boolean value that indicates whether the applicant is the DBA of the current instance.
@fac.user_is_sec_admin	A Boolean value that indicates whether the applicant is a security administrator.

Actions

An action in a security rule is an operation that DMS performs when the IF condition in the rule is met. For example, DMS can forbid the submission of a ticket, select an approval process, approve a ticket, or reject a ticket. An action in a security rule shows the purpose of the security rule. An action name consists of the prefix @act. and the display name of the action. Each module of the Security Rules tab provides different actions for different checkpoints. The following table describes the actions provided for the checkpoints in Data Export.


@act.do_not_approve	Allows a ticket to be processed without approval.
@act.choose_approve_template	Specifies an approval template.
@act.choose_approve_template_with_reason	Specifies an approval template and provides the reason.
@act.forbid_submit_order	Forbids the submission of the ticket.
@act.enable_check_permission	Validates the permissions of the applicant on involved databases and tables.
@act.disable_check_permission	Does not validate the permissions of the applicant on involved databases and tables.
@act.enable_check_sec_column	Validates the permissions of the applicant on involved sensitive fields.
@act.disable_check_sec_column	Does not validate the permissions of the applicant on involved sensitive fields.

Modify the default approval template

Log on to the DMS console V5.0.
In the top navigation bar, choose Security and Specifications > Security Rules.
Find the rule set you want to manage, and click Edit in the Actions column.
In the left-side navigation pane of the Details page, click Data Export.
Select Basic Configuration Item for Checkpoints.
Find the Default Approval template for Data Export rule and click Edit in the Actions column.
In the Change Configuration Item dialog box, click Switch Approval Template.
Find the target template, click Select in the Actions column.
Note You can also click Reset to Free of Approval to skip the approval for tickets.
Click Submit.

Create a rule

Log on to the DMS console V5.0.
In the top navigation bar, choose Security and Specifications > Security Rules.
Find the target security rule set, click Edit in the Actions column.
In the left-side navigation pane of the Details page, click Data Export.
Select Basic Configuration Item for Checkpoints.
Click Create Rule.

In the Create Rule - Data Export dialog box, configure the following parameters:


Configuration item	Required	Description
Checkpoints	Yes	The checkpoint under which you want to create the security rule. The following two checkpoints are provided in Data Export: Pre-check Validation Approval Rule Validation
Template Database	Yes	The template that you want to use to create the security rule. DMS provides a large number of security rule templates. After you select a checkpoint, click Load from Template Database and select a template. The template database provides the following templates: Pre-check Validation: Control database table permission verification, Control sensitive column permission verification, and Control row permission verification. Approval Rule Validation: No approval, Default approval definition, and Set up an approval process involving export of highly sensitive fields.
Rule Name	Yes	The name of the custom security rule. Note If you load a rule template from Template Database, the rule name is automatically entered.
Rule DSL	Yes	The DSL statement for the security rule. For more information about the DSL syntax, see DSL syntax for security rules. When you write the DSL statement, you can use the factors, actions, functions, and operators that are displayed on the right. If you load a rule template, you can modify the predefined DSL statement included in the template.

Click Submit.
Note The new rule is Disabled by default. On the current page, select the corresponding checkpoint, find the new rule, click Enable in the Actions column, and click OK. Then, the new rule is enabled.