This topic describes how to modify the approval template for tickets that are used to change the sensitivity levels of sensitive columns, and how to create a rule for these tickets.

Precautions

The default approval template takes effect if you do not set approval processes for tickets that are used to change the sensitivity levels of sensitive columns under the Approval Rule Validation checkpoint. In the Switch Approval Template dialog box, you can change the approval process of the default approval template. For more information about how to modify the default template, see Change the default approval template.

Basic configuration items

Checkpoints

When you submit a ticket to change the sensitivity levels of sensitive columns, DMS checks whether the ticket conforms to rules that are specified under the checkpoints. Approval Rule Validation: When you submit a sensitive column change ticket to change the sensitivity levels of sensitive columns, DMS checks whether the ticket conforms to rules that are specified under the Approval Rule Validation checkpoint. You can use the default rules that are provided in the templates of security rules, or create a custom rule. For more information about how to create rules, see Create a rule.

Factors and actions

  • Factors
    A factor is a predefined variable in DMS. You can use factors to obtain the context to be validated by security rules. The context includes SQL statement categories and the number of rows to be affected. A factor name consists of the prefix @fac. and the display name of the factor. Each module of the Security Rules tab provides different factors for different checkpoints. The following table describes the factors that are provided for the checkpoints in the Sensitive Column Change module.
    Factor Description
    @fac.column_level_change_type The type of sensitivity level change that the applicant wants to perform on a sensitive column. Valid values:
    • upper: Change the sensitivity level to a higher level, including the following 3 cases:
      • Change the sensitivity level from internal to sensitive.
      • Change the sensitivity level from internal to confidential.
      • Change the sensitivity level from sensitive to confidential.
    • sensitive_to_inner: Change the sensitivity level from sensitive to internal.
    • confidential_to_sensitive: Change the sensitivity level from confidential to sensitive.
    • confidential_to_inner: Change the sensitivity level from confidential to internal.
  • Actions
    An action in a security rule is an operation that DMS performs when the IF condition in the rule is met. For example, DMS can forbid the submission of a ticket, select an approval process, approve a ticket, or reject a ticket. An action in a security rule shows the purpose of the security rule. An action name consists of the prefix @act. and the display name of the action. Each module of the Security Rules tab provides different actions for different checkpoints. The following table describes the actions that are provided for the checkpoints in the Sensitive Column Change module.
    Action Description
    @act.forbid_submit_order Forbids a ticket from being submitted. The statement is in the following format: @act.forbid_submit_order 'Reasons for forbidding the ticket from being submitted'.
    @act.do_not_approve Specifies the ID of an approval template. For more information, see Configure approval processes.

Templates of security rules

DMS provides you with a large number of predefined security rule templates. You can enable the templates or modify the templates based on your business requirements. In the Sensitive Column Change module, the following rule templates are provided under the Approval Rule Validation checkpoint:
  • Specify that no approval is required to change the sensitivity level of a sensitive column to a higher level.
  • Set an approval process for changing the sensitivity level of a sensitive column from sensitive to internal.
  • Set an approval process for changing the sensitivity level of a sensitive column from confidential to sensitive.
  • Set an approval process for changing the sensitivity level of a sensitive column from confidential to internal.

Change the default approval template

  1. Log on to the DMS console V5.0.
  2. In the top navigation bar, click Security and Specifications. In the left-side navigation pane, click Security Rules.
    Note If you are using the previous version of the DMS console, move the pointer over the More icon in the top navigation bar and choose System > Security > Security Rules.
  3. Find the rule set that you want to edit and click Edit in the Actions column.
  4. In the left-side navigation pane of the Details page, choose Security and Specifications > Sensitive Column Change.
  5. Select Basic Configuration Item for Checkpoints.
  6. Find the Sensitive column default approval Template configuration item and click Edit in the Actions column.
  7. In the Change Configuration Item dialog box, click Switch Approval Template.
  8. Find the Template Name of the template that you want to use and click Select in the Actions column.
    Note You can also click Reset to Free of Approval to skip the approval processes.
  9. Click Submit.

Create a rule

  1. Log on to the DMS console V5.0.
  2. In the top navigation bar, click Security and Specifications. In the left-side navigation pane, click Security Rules.
    Note If you are using the previous version of the DMS console, move the pointer over the More icon in the top navigation bar and choose System > Security > Security Rules.
  3. Find the rule set for which you want to create a rule and click Edit in the Actions column.
  4. In the left-side navigation pane of the Details page, choose Security and Specifications > Sensitive Column Change.
  5. Select Basic Configuration Item for checkpoints.
  6. Click Create Rule and specify the parameters as required. The following table describes the parameters.
    Parameter Required Description
    Checkpoints Yes The checkpoint for which you want to create the security rule. The Approval Rule Validation checkpoint is provided in the Sensitive Column Change module.
    Template Database No The template that you want to use to create the security rule. DMS provides a large number of security rule templates. After you specify the Checkpoints parameter, you can click Load from Template Database and select a template as required. For more information about the available templates, see Basic configuration items.
    Rule Name Yes The name of the custom security rule.
    Note If you load a security rule from the Template Database, the rule name is automatically entered.
    Rule DSL Yes The DSL statement that you want to use to configure the security rule. For more information, see DSL syntax for security rules.
    Note If you load a security rule from the Template Database, the DSL statement is automatically entered.
  7. Click Submit.
    Note The new rule is Disabled by default. On the current page, select the corresponding checkpoint, find the new rule, click Enable in the Actions column, and click OK. Then, the new rule is enabled.