All Products
Search
Document Center

Data Management:Permission application

Last Updated:Apr 01, 2026

Use the Access apply tab in Security Rules to define approval workflows for permission requests on database instances, databases, tables, columns, rows, programmable objects, and data ownership. Rules are written in DMS's domain-specific language (DSL) and evaluated as checkpoints when users submit permission tickets.

How it works

When a user submits a permission ticket, DMS evaluates it against the rules defined under each checkpoint. The ticket proceeds only when it passes all applicable rules. Each checkpoint maps to specific ticket types and has a default approval template that applies when no custom rules match.

The following table shows how permission types, checkpoints, and default templates relate to each other:

Permission type Checkpoint Default approval template
Instance (performance, login) Validation for instance permission application [Instance-permission application] default approval template
Database Database permission application validation [DB-permission application] default approval template
Table Table permission application validation Table-permission request default approval template
Programmable object Programmable object verification [Programmable object-permission application] default approval template
Sensitive column Sensitive field application validation [Field-permission application] default approval template
Row Line permission application verification Line-permission application default approval template
Data ownership (no current owner) Owner application validation [Owner-application] default approval template (when the resource has no owner)
Data ownership (has owner) Owner application validation [Owner-application] default approval template (when the resource has an owner)

The default template for each checkpoint takes effect when no custom rules are configured for that checkpoint at specific risk levels. To override the default, create a security rule under the relevant checkpoint.

Prerequisites

Before you begin, ensure that you have one of the following roles:

  • DMS administrator

  • Database administrator (DBA)

  • Security administrator

Key concepts

Factors are predefined variables that provide context when DMS evaluates a security rule. Factor names use the prefix @fac.. The following factors are available on the Access apply tab:

Factor Description
@fac.env_type The environment type display name, such as DEV or PRODUCT. For details, see Change the environment type of an instance.
@fac.schema_name The name of the database.
@fac.perm_apply_duration The duration of the requested permissions, in hours.
@fac.column_security_level The security level of the column. Valid values: sensitive, confidential, inner.
@fac.perm_type The requested permission types, returned as a list of strings such as ['CORRECT','EXPORT']. Valid values: QUERY, EXPORT, CORRECT, LOGIN, PERF. Use with @fun.listEqualIgnoreOrder to evaluate the exact set of permissions. For example, @fun.listEqualIgnoreOrder(@fac.perm_type, ['QUERY']) checks whether only query permissions are requested.

Actions define what DMS does when a rule's condition is met. Action names use the prefix @act.. The following actions are available on the Access apply tab:

Action Description
@act.forbid_submit_order Blocks the ticket from being submitted.
@act.do_not_approve Specifies the ID of an approval template. For details, see Configure approval processes.
@act.choose_approve_template
@act.choose_approve_template_with_reason

For DSL syntax details, see DSL syntax for security rules.

Security rule templates

DMS provides predefined templates for common approval scenarios. Select a template as a starting point and modify the DSL to fit your requirements.

Checkpoint Available templates
Owner application validation Block all ownership applications
Block ownership applications in production
Auto-approve ownership applications in test

Database permission application validation Block all database permission applications
Block database permission applications in production
Auto-approve database permission applications in test

Table permission application validation Block all table permission applications
Block table permission applications in production
Auto-approve table permission applications in test

Programmable object verification Block all programmable object applications
Block programmable object applications in production
Auto-approve programmable object applications in test

Sensitive field application validation Block all sensitive column permission applications
Route confidential column applications to a specific approval process
Line permission application verification Block all row permission applications
Block row permission applications in production
Route row permission applications to a specific approval process

Create a security rule

  1. Log in to the DMS console V5.0.

  2. Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > Security and disaster recovery (DBS) > Permission Center > Permission Templates.

    Note

    If you use the DMS console in normal mode, choose Security and disaster recovery (DBS) > Permission Center > Permission Templates in the top navigation bar.

  3. Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All functions > Security and Specifications > Security Rules.

    In normal mode, choose Security and Specifications > Security Rules in the top navigation bar.
  4. On the Security Rules tab, find the security rule set to manage and click Edit in the Actions column.

  5. On the Details page, click the Access apply tab in the left-side pane.

  6. Click Create Rule next to Actions.

  7. In the Create Rule - Access apply dialog box, configure the following parameters:

    Parameter Required Description
    Checkpoints Yes The checkpoint to attach this rule to. Select from the seven checkpoints listed in How it works.
    Template database No A predefined template to use as a starting point. After selecting a checkpoint, click Load from Template Database to browse available templates. The rule name and DSL are filled in automatically.
    Rule name Yes A descriptive name for the rule. Filled in automatically when loading from a template.
    Rule DSL Yes The DSL expression that defines the condition and action. Filled in automatically when loading from a template. For syntax details, see DSL syntax for security rules.
  8. Click Submit.

  9. The rule is created in the Disabled state by default. Click Enable in the Actions column, then click OK to activate it.

What's next