Permission Application Security Rules Overview - Data Management

Use the Access apply tab in Security Rules to define approval workflows for permission requests on database instances, databases, tables, columns, rows, programmable objects, and data ownership. Rules are written in DMS's domain-specific language (DSL) and evaluated as checkpoints when users submit permission tickets.

How it works

When a user submits a permission ticket, DMS evaluates it against the rules defined under each checkpoint. The ticket proceeds only when it passes all applicable rules. Each checkpoint maps to specific ticket types and has a default approval template that applies when no custom rules match.

The following table shows how permission types, checkpoints, and default templates relate to each other:

Permission type	Checkpoint	Default approval template
Instance (performance, login)	Validation for instance permission application	[Instance-permission application] default approval template
Database	Database permission application validation	[DB-permission application] default approval template
Table	Table permission application validation	Table-permission request default approval template
Programmable object	Programmable object verification	[Programmable object-permission application] default approval template
Sensitive column	Sensitive field application validation	[Field-permission application] default approval template
Row	Line permission application verification	Line-permission application default approval template
Data ownership (no current owner)	Owner application validation	[Owner-application] default approval template (when the resource has no owner)
Data ownership (has owner)	Owner application validation	[Owner-application] default approval template (when the resource has an owner)

The default template for each checkpoint takes effect when no custom rules are configured for that checkpoint at specific risk levels. To override the default, create a security rule under the relevant checkpoint.

Prerequisites

Before you begin, ensure that you have one of the following roles:

DMS administrator
Database administrator (DBA)
Security administrator

Key concepts

Factors are predefined variables that provide context when DMS evaluates a security rule. Factor names use the prefix @fac.. The following factors are available on the Access apply tab:

Factor	Description
`@fac.env_type`	The environment type display name, such as `DEV` or `PRODUCT`. For details, see Change the environment type of an instance.
`@fac.schema_name`	The name of the database.
`@fac.perm_apply_duration`	The duration of the requested permissions, in hours.
`@fac.column_security_level`	The security level of the column. Valid values: `sensitive`, `confidential`, `inner`.
`@fac.perm_type`	The requested permission types, returned as a list of strings such as `['CORRECT','EXPORT']`. Valid values: `QUERY`, `EXPORT`, `CORRECT`, `LOGIN`, `PERF`. Use with `@fun.listEqualIgnoreOrder` to evaluate the exact set of permissions. For example, `@fun.listEqualIgnoreOrder(@fac.perm_type, ['QUERY'])` checks whether only query permissions are requested.

Actions define what DMS does when a rule's condition is met. Action names use the prefix @act.. The following actions are available on the Access apply tab:

Action	Description
`@act.forbid_submit_order`	Blocks the ticket from being submitted.
`@act.do_not_approve`	Specifies the ID of an approval template. For details, see Configure approval processes.
`@act.choose_approve_template`
`@act.choose_approve_template_with_reason`

For DSL syntax details, see DSL syntax for security rules.

Security rule templates

DMS provides predefined templates for common approval scenarios. Select a template as a starting point and modify the DSL to fit your requirements.

Checkpoint	Available templates
Owner application validation	Block all ownership applications<br>Block ownership applications in production<br>Auto-approve ownership applications in test
Database permission application validation	Block all database permission applications<br>Block database permission applications in production<br>Auto-approve database permission applications in test
Table permission application validation	Block all table permission applications<br>Block table permission applications in production<br>Auto-approve table permission applications in test
Programmable object verification	Block all programmable object applications<br>Block programmable object applications in production<br>Auto-approve programmable object applications in test
Sensitive field application validation	Block all sensitive column permission applications<br>Route confidential column applications to a specific approval process
Line permission application verification	Block all row permission applications<br>Block row permission applications in production<br>Route row permission applications to a specific approval process

Create a security rule

Log in to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner and choose All Features > Security and disaster recovery (DBS) > Permission Center > Permission Templates.

Note
If you use the DMS console in normal mode, choose Security and disaster recovery (DBS) > Permission Center > Permission Templates in the top navigation bar.
Move the pointer over the icon in the upper-left corner and choose All functions > Security and Specifications > Security Rules.
In normal mode, choose Security and Specifications > Security Rules in the top navigation bar.
On the Security Rules tab, find the security rule set to manage and click Edit in the Actions column.
On the Details page, click the Access apply tab in the left-side pane.
Click Create Rule next to Actions.

In the Create Rule - Access apply dialog box, configure the following parameters:

Parameter	Required	Description
Checkpoints	Yes	The checkpoint to attach this rule to. Select from the seven checkpoints listed in How it works.
Template database	No	A predefined template to use as a starting point. After selecting a checkpoint, click Load from Template Database to browse available templates. The rule name and DSL are filled in automatically.
Rule name	Yes	A descriptive name for the rule. Filled in automatically when loading from a template.
Rule DSL	Yes	The DSL expression that defines the condition and action. Filled in automatically when loading from a template. For syntax details, see DSL syntax for security rules.

Click Submit.
The rule is created in the Disabled state by default. Click Enable in the Actions column, then click OK to activate it.

What's next

DSL syntax for security rules — Learn the full DSL syntax to write custom conditions and actions.
Configure approval processes — Set up the approval templates referenced by @act.choose_approve_template.
Data change — Modify the default approval template for an instance permission application.