The Data Export security rules in Data Management (DMS) let you control which data export tickets are approved, which are blocked, and which bypass approval entirely. Configure rules once on a security rule set, and DMS enforces them automatically every time someone submits a data export ticket — checking the databases, tables, sensitive fields, and row counts involved.
Prerequisites
Before you begin, ensure that you have:
A DMS system role of DMS administrator, database administrator (DBA), or security administrator
Usage notes
Approval processes apply only to instances whose control mode is set to Security Collaboration.
Each instance supports only one security rule. You cannot configure separate approval processes or approvers for different databases on the same instance.
How data export rules work
Checkpoints
Data Export rules are evaluated at two checkpoints during the ticket lifecycle.
| Checkpoint | What it controls |
|---|---|
| Approval Rule Validation | Routes tickets to different approval processes based on your rules — for example, sending tickets that export more than a threshold number of rows to a stricter approval flow |
| Pre-check Validation | Validates the applicant's permissions on the databases, tables, sensitive fields, and rows involved in the export |
Basic configuration item
The Basic Configuration Item is a default fallback rule under each checkpoint. If no custom rule matches, DMS applies the default approval template. Click Switch Approval Template to change which template is used as the fallback.
Factors
A factor is a predefined variable that provides context for rule evaluation — such as the number of rows to export or whether the data contains sensitive fields. Factor names use the prefix @fac..
| Factor | Type | Description |
|---|---|---|
@fac.env_type | String | Environment type, such as DEV or PRODUCT. See Environment types for all values. |
@fac.export_rows | Number | Number of rows to be exported |
@fac.is_ignore_export_rows_check | Boolean | Whether to skip the row count check |
@fac.include_sec_columns | Boolean | Whether the export includes sensitive fields |
@fac.sec_columns_list | String | Sensitive fields in the export, in the format table name.field name, [table name.field name, ...] |
@fac.user_is_admin | Boolean | Whether the applicant is a DMS administrator |
@fac.user_is_dba | Boolean | Whether the applicant is a DBA |
@fac.user_is_inst_dba | Boolean | Whether the applicant is the DBA of the current instance |
@fac.user_is_sec_admin | Boolean | Whether the applicant is a security administrator |
Actions
An action defines what DMS does when the IF condition in a rule is met. Action names use the prefix @act..
| Action | Description |
|---|---|
@act.do_not_approve | Process the ticket without requiring approval |
@act.choose_approve_template | Route the ticket to a specified approval template |
@act.choose_approve_template_with_reason | Route the ticket to a specified approval template and record the reason |
@act.forbid_submit_order | Block the ticket from being submitted |
@act.enable_check_permission | Validate the applicant's permissions on the involved databases and tables |
@act.disable_check_permission | Skip permission validation for databases and tables |
@act.enable_check_sec_column | Validate the applicant's permissions on involved sensitive fields |
@act.disable_check_sec_column | Skip permission validation for sensitive fields |
Modify the default approval template
Log on to the DMS console V5.0.
Move the pointer over the
icon in the upper-left corner and choose All Features > Security and Specifications (DBS) > Security Rules.In normal mode, choose Security and Specifications (DBS) > Security Rules in the top navigation bar.
Find the rule set to manage and click Edit in the Actions column.
In the left-side navigation pane of the Details page, click Data Export.
Select Basic Configuration Item for Checkpoints.
Find the Default Approval template for Data Export rule and click Edit in the Actions column.
In the Change Configuration Item dialog box, click Switch Approval Template.
Find the target template and click Select in the Actions column.
To skip approval entirely, click Reset to Free of Approval instead.
Click Submit.
Create a rule
Log on to the DMS console V5.0.
Move the pointer over the
icon in the upper-left corner and choose All Features > Security and Specifications (DBS) > Security Rules.In normal mode, choose Security and Specifications (DBS) > Security Rules in the top navigation bar.
Find the target security rule set and click Edit in the Actions column.
In the left-side navigation pane of the Details page, click Data Export.
Select Basic Configuration Item for Checkpoints.
Click Create Rule.
In the Create Rule - Data Export dialog box, configure the following parameters.
Parameter Required Description Checkpoints Yes The checkpoint for this rule: Pre-check Validation or Approval Rule Validation Template Database Yes A pre-built rule template to start from. After selecting a checkpoint, click Load from Template Database to browse available templates. Pre-check Validation templates: Control database table permission verification, Control sensitive column permission verification, Control row permission verification. Approval Rule Validation templates: No approval, Default approval definition, Set up an approval process involving export of highly sensitive fields. Rule Name Yes A name for the rule. Auto-filled when you load a template. Rule DSL Yes The DSL statement for the rule. Write conditions using the factors, actions, functions, and operators listed in the panel. If you loaded a template, modify the pre-filled DSL as needed. See DSL syntax for security rules. Click Submit.
New rules are Disabled by default. To activate a rule, select the checkpoint, find the new rule, click Enable in the Actions column, and click OK.