Configure security rules to manage database operations and development processes - Data Management

Security rules in Data Management (DMS) enforce fine-grained access control and governance for your databases. You can create rule sets, define policies using a domain-specific language (DSL), and apply them to database instances to control querying, exporting, data changes, approval workflows, and development processes.

Prerequisites

You have a DMS administrator or database administrator (DBA) role. For details, see View system roles.
Your database instance is managed in Security Collaboration mode.
Note
Instances managed in Flexible Management or Stable Change mode support only default security rules.

What security rules can do

Goal	How security rules help
Replace email and IM-based change requests with an online workflow	Integrate R&D processes, specifications, and approval flows so multiple developers collaboratively manage databases online
Maintain schema consistency across environments (dev, test, staging, production)
Enforce schema design standards
Block high-risk SQL statements
Apply tiered approval for data changes
Apply tiered approval for permission grants

Navigate to the security rules page

Log on to the DMS console V5.0.
Open the Security Rules page:
- Compact mode: Hover over the icon in the upper-left corner and choose All functions > Security and Specifications > Security Rules.
- Normal mode: In the top navigation bar, choose Security and Specifications > Security Rules.

Create a rule set

Create multiple rule sets to apply different security policies per database engine and environment.

Log on to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner and choose All Features > Security and disaster recovery (DBS) > Security Rules.

Note
If you use the DMS console in normal mode, choose Security and disaster recovery (DBS) > Security Rules in the top navigation bar.
On the Security Rules page, click Create Rule Set in the upper-left corner.

Configure the rule set:

Parameter	Description
Engine Type	The database engine this rule set applies to.
Rule Set Name	A descriptive name for the rule set.
Remarks	The applicable scope of the security rule set, such as the intended environment.

Click Submit.

Configure rules in a rule set

After creating a rule set, open its Details page to modify default rules or add custom rules for specific checkpoints.

For example, you can disable the Whether the result set supports export rule on the SQL Console tab to prevent result set exports.

Note

When a task is submitted in DMS, the system validates the task against all related rules for the corresponding checkpoints. The task runs only after passing all validations.

Edit predefined rules

Log on to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner and choose All Features > Security and disaster recovery (DBS) > Security Rules.

Note
If you use the DMS console in normal mode, choose Security and disaster recovery (DBS) > Security Rules in the top navigation bar.
On the Security Rules page, find the target rule set and click Edit in the Actions column.
Note
To create a new rule set, see Create security rules.
In the left-side navigation pane of the Details page, select the checkpoint tab to configure.
Modify predefined configurations and toggle rule states as needed.

Create a custom rule

If predefined rules do not meet your requirements, create a custom rule.

On the Details page of the rule set, click Create Rule next to Actions.

Set the following parameters:

Parameter	Description
Checkpoints	The checkpoint this rule applies to. You cannot create rules for the Basic Configuration Item checkpoint. Note You cannot add rules to basic configuration items.
Template Database	Optional. Click Load from Template Database to pre-populate a rule template. You can modify the DSL statement predefined in the template.
Rule Name	A descriptive name for the rule.
Rule DSL	The DSL statement that defines the rule logic. Use the factors, actions, functions, and operators listed on the right side of the editor. For syntax details, see DSL syntax for security rules.

Click Submit.
Navigate to the checkpoint tab, find the new rule, and click Enable in the Actions column. In the Prompt dialog, click OK.
Note
Rules are in the Disabled state by default after creation. You must enable them manually.

Checkpoint reference

Each tab on the rule set Details page corresponds to a checkpoint. The following table lists available checkpoints and their documentation.

Checkpoint	Documentation
SQL Console for relational databases	SQL Console for relational databases
SQL Console for MongoDB	SQL Console for MongoDB
SQL Console for Redis	SQL Console for Redis
SQL Correct	SQL Correct
Permission application	Permission application
Data Export	Data Export
Schema Design	Schema Design
Synchronize databases and tables	Synchronize databases and tables
Data Tracking	Data Tracking
Sensitive Column Change	Sensitive Column Change
Test Data Generate	Test Data Generate
Database Clone	Database Clone

Apply a rule set to instances

After configuring a rule set, apply it to one or more database instances. Two methods are available.

Batch apply (recommended)

Use this method to apply the same rule set to multiple instances at once.

Log on to the DMS console V5.0.
In the top navigation bar, click Data Assets. In the left-side navigation pane, click Instances.
Click the Instance List tab.
Select one or more instances and click Batch edit.
Note
All selected instances must use the same database engine.
In the Edit instance information in batches dialog, set Control Mode to Security Collaboration.
Select a rule set from the Security Rules drop-down list and click OK.

Apply to a single instance

Log on to the DMS console V5.0.
In the left-side instance list, right-click the target instance.
Choose Control Mode > Security Collaboration and select a security rule set.
In the Modify control mode dialog, click OK.