In DMS, when a user submits a ticket to change the sensitivity level of a sensitive column, DMS evaluates the security rules configured under the Approval Rule Validation checkpoint. This page explains how to configure the default approval template for these tickets and how to create custom security rules.
How it works
DMS uses a three-tier sensitivity hierarchy, from lowest to highest: internal, sensitive, and confidential. When a user submits a sensitive column change ticket, DMS evaluates the rules under the Approval Rule Validation checkpoint in the Sensitive Column Change module.
The evaluation uses two building blocks:
Factors — predefined variables that expose ticket context, such as the direction of a sensitivity level change. Use them to write rule conditions.
Actions — operations that DMS performs when a rule condition is met, such as blocking submission or routing to an approval template.
If no approval processes are configured or no custom rule matches, the default approval template applies.
Factors and actions
Factors
A factor name has the format @fac.<display-name>.
The following factor is available for the Approval Rule Validation checkpoint in the Sensitive Column Change module.
| Factor | Description |
|---|---|
@fac.column_level_change_type | The direction of the sensitivity level change. Valid values: upper, sensitive_to_inner, confidential_to_sensitive, confidential_to_inner. |
The column_level_change_type factor takes the following values:
| Value | Change direction |
|---|---|
upper | To a higher level — covers three cases: internal → sensitive, internal → confidential, or sensitive → confidential |
sensitive_to_inner | sensitive → internal |
confidential_to_sensitive | confidential → sensitive |
confidential_to_inner | confidential → internal |
Actions
An action name has the format @act.<display-name>.
| Action | Description |
|---|---|
@act.forbid_submit_order | Blocks ticket submission. Format: @act.forbid_submit_order 'Reason for blocking' |
@act.do_not_approve | Specifies the ID of an approval template to use. For details, see Configure approval processes. |
For full DSL syntax, see DSL syntax for security rules.
Predefined rule templates
DMS provides four predefined rule templates under the Approval Rule Validation checkpoint in the Sensitive Column Change module:
No approval required to change a sensitivity level to a higher level
Approval process for sensitive → internal changes
Approval process for confidential → sensitive changes
Approval process for confidential → internal changes
Load these templates when creating a rule, or use them as a starting point for custom rules.
Change the default approval template
The default approval template applies to sensitive column change tickets when no custom rules match under the Approval Rule Validation checkpoint.
Prerequisites
Before you begin, ensure that you have:
Access to the DMS console V5.0
-
Move the pointer over the
icon in the upper-left corner and choose . NoteIf you use the DMS console in normal mode, choose in the top navigation bar.
-
Move the pointer over the
icon in the upper-left corner and choose . NoteIf you use the DMS console in normal mode, choose in the top navigation bar.
Permission to edit security rule sets
Steps
Log on to the DMS console V5.0.
In the upper-left corner, hover over the
icon and choose All functions > Security and Specifications > Security Rules.If you use the DMS console in normal mode, choose Security and Specifications > Security Rules in the top navigation bar.
Find the rule set to edit and click Edit in the Actions column.
In the left-side navigation pane of the Details page, choose Security and Specifications > Sensitive Column Change.
Set Checkpoints to Basic Configuration Item.
Find the Sensitive column default approval Template configuration item and click Edit in the Actions column.
In the Change Configuration Item dialog box, click Switch Approval Template.
Find the template to use by Template Name and click Select in the Actions column.
To skip approval entirely, click Reset to Free of Approval.
Click Submit.
Create a rule
Create a custom security rule to control approval behavior for specific types of sensitive column changes.
Prerequisites
Before you begin, ensure that you have:
Access to the DMS console V5.0
Permission to edit security rule sets
Steps
Log on to the DMS console V5.0.
In the upper-left corner, hover over the
icon and choose All functions > Security and Specifications > Security Rules.If you use the DMS console in normal mode, choose Security and Specifications > Security Rules in the top navigation bar.
Find the rule set to edit and click Edit in the Actions column.
In the left-side navigation pane of the Details page, choose Security and Specifications > Sensitive Column Change.
Set Checkpoints to Basic Configuration Item.
Click Create Rule and fill in the parameters.
Parameter Required Description Checkpoints Yes The checkpoint for the rule. The Approval Rule Validation checkpoint is available in the Sensitive Column Change module. Template Database No A predefined rule template to use as a starting point. After selecting a checkpoint, click Load from Template Database and choose a template. For available templates, see Predefined rule templates. Rule Name Yes A name for the rule. Auto-filled when you load from the Template Database. Rule DSL Yes The DSL statement for the rule. Auto-filled when you load from the Template Database. For syntax details, see DSL syntax for security rules. Click Submit.
New rules are Disabled by default. To activate a rule, select the checkpoint on the current page, find the rule, click Enable in the Actions column, and click OK.