In the Data Management Service (DMS) console, you can set security rules in the Data Export module for validating the applicant’s permissions on involved databases, tables, sensitive fields, and rows during the submission and approval of data export tickets. This helps ensure data security.
Prerequisites
You are a DMS administrator, database administrator (DBA), or security administrator.
Basic configuration items
Data export default approval Template: the default approval template that takes effect if you do not set different approval processes for data export tickets at different risk levels under the Approval Rule Validation checkpoint. You can also change the default approval template. For more information, see Procedure of changing the default approval template.
Checkpoints
- Approval Rule Validation: Under this checkpoint, you can customize security rules to direct data export tickets to different approval processes. For example, you can direct tickets for exporting more than a certain number of rows of data to an approval process and other tickets to another approval process. You can also use the default approval template specified under Basic Configuration Item. For more information about how to create a security rule, see Procedure of creating a security rule.
- Pre-check Validation: Under this checkpoint, you can customize security rules to determine whether to validate the applicant’s permissions on involved databases, tables, and sensitive fields. You can also use the default approval template specified under Basic Configuration Item. For more information about how to create a security rule, see Procedure of creating a security rule.
Factors and actions
- Factor: A factor is a system built-in variable that is used to obtain the context to be validated by security rules, such as the subcategories of SQL statements and the number of rows in which data is affected. A factor name starts with
@fac.
, appended with the display name of the factor type. Each module of the Security Rules page offers different factors for different checkpoints. The following table describes the supported factors in the Data Export module.
Factor | Description |
---|---|
@fac.env_type | The type of the environment. The value is the display name of the environment type, such as DEV and PRODUCT . For more information, see Change the environment type of an instance. |
@fac.is_ignore_export_rows_check | Indicates that the applicant skips checking the number of rows of data to be affected. |
@fac.export_rows | The number of rows of data to be exported. |
@fac.include_sec_columns | Indicates that the data to be exported contains sensitive fields. |
@fac.sec_columns_list | The sensitive fields that require or do not require approval before being exported. Specify the sensitive fields in the Table name. Field name, [Table name. Field name, …] format. |
@fac.user_is_admin | Indicates that the applicant is a DMS administrator. |
@fac.user_is_dba | Indicates that the applicant is a DBA. |
@fac.user_is_inst_dba | Indicates that the applicant is an instance DBA. |
@fac.user_is_sec_admin | Indicates that the applicant is a security administrator. |
Action: An action is the operation that the system performs after the conditions specified in the if
statement are met. For example, the system can perform the relevant action to forbid the submission of a ticket, select an approval process, approve a ticket, or reject a ticket. Actions show the purpose of setting security rules. An action name starts with @act.
, appended with the display name of the action type. Each module of the Security Rules page offers different actions for different checkpoints. The following table describes the supported actions in the Data Export module.
Action | Description |
---|---|
@act.do_not_approve | Allows the ticket to be processed without approval. |
@act.choose_approve_template | Specifies an approval template. |
@act.choose_approve_template_with_reason | Specifies an approval template with a reason provided. |
@act.forbid_submit_order | Forbids the ticket from being submitted. |
@act.enable_check_permission | Validates the applicant’s permissions on involved databases and tables. |
@act.disable_check_permission | Does not validate the applicant’s permissions on involved databases and tables. |
@act.enable_check_sec_column | Validates the applicant’s permissions on involved sensitive fields. |
@act.disable_check_sec_column | Does not validate the applicant’s permissions on involved sensitive fields. |
Templates of security rules
DMS provides you with various system built-in templates of security rules. You can directly use the templates or modify the templates based on your business requirements. The following table describes the supported rule templates in the Data Export module.
Checkpoint | Feature of template |
---|---|
Pre-check Validation | Determines whether to validate the applicant’s permissions on involved databases and tables. |
Determines whether to validate the applicant’s permissions on involved sensitive fields. | |
Determines whether to validate the applicant’s permissions on involved rows. | |
Approval Rule Validation | Specifies the scenarios where no approval is required. |
Specifies the approval templates for specific scenarios. |
Procedure of changing the default approval template
- Log on to the DMS console.
In the top navigation bar, choose System Management > Security > Security Rules.
On the Security Rules page that appears, find the target rule set and click Edit in the Actions column.
- On the Details page that appears, click the Data Export tab.
- On the Data Export tab, the basic configuration items appear by default.
Find the Data export default approval Template configuration item and click Edit in the Actions column.
In the Change Configuration Item dialog box that appears, click Switch Approval Template.
In the Switch Approval Template dialog box that appears, find the target template and click Select in the Actions column.
Note: You can also click Reset to Free of Approval to skip the approval for tickets.
Click Submit.
Procedure of creating a security rule
- Log on to the DMS console.
- In the top navigation bar, choose System Management > Security > Security Rules.
- On the Security Rules page that appears, find the target rule set and click Edit in the Actions column.
- On the Details page that appears, click the Data Export tab.
On the Data Export tab, click Create Rule next to Actions.
In the Create Rule - Data Export dialog box that appears, set the parameters as required. The following table describes the parameters.
Parameter Description Checkpoints (Required) The checkpoint under which you want to create the security rule. The Data Export module offers the following two checkpoints: - Pre-check Validation
- Approval Rule Validation
Template Database (Optional) The template based on which you want to create the security rule. DMS provides you with various system built-in templates of security rules. After you select a checkpoint from the Checkpoints drop-down list, you can click Load from Template Database to select a template. For more information about the available templates, see Templates of security rules. Rule Name (Required) The name of the security rule. If you load a security rule from a template, the rule name is automatically filled in. Rule DSL (Required) The DSL statement used to set the security rule. For more information, see DSL syntax for security rules. If you load a security rule from a template, the statement is automatically filled in. Click Submit.
- Find the created security rule and click Enable in the Actions column. By default, the created security rule is in the Disabled state.
- In the message that appears, click OK.