Security rules use a domain-specific language (DSL) to achieve the fine-grained management of databases. These rules allow you to manage Data Management (DMS) features such as querying, exporting, and changing data. This way, you can formulate operation guidelines and define development processes for your databases in DMS. This topic describes how to create, configure, and apply security rules.

Prerequisites

  • You are a DMS administrator or a database administrator (DBA). For more information about how to view the role of a user, see View owned system roles.
  • Your database instance is managed in Security Collaboration mode.
    Note Database instances that are managed in Flexible Management or Stable Change mode support only default security rules.

Scenarios

Scenario Solution
You must use external communication systems such as email and instant messaging (IM) services to communicate with others and apply data changes. An online process management system is required.
  • Security rules integrate R&D processes, R&D specifications, and approval processes. You can use security rules to coordinate DMS features and allow multiple online developers to collaboratively manage databases.
  • Security rules support a variety of SQL engines. You can customize security rules to check and manage SQL statements.
  • Security rules provide a powerful approval feature. You can customize approval processes based on different user behaviors.
You want to manage the development process of databases to ensure schema consistency between databases in different environments. For example, design and verify a database in a development environment and publish the database to an environment for joint debugging and test. After the joint debugging and test, publish the database to a staging environment. After the database is verified in the staging environment, publish the database to a production environment.
You want to manage the standards for schema design in databases. For example, a table must be created with a primary key, and a field that is added to an existing table cannot be empty.
You do not allow the execution of high-risk SQL statements, such as the SQL statements that are used to delete data or tables. Only SELECT statements are allowed.
You want differentiated approval processes for database operations. For example, no approval is required for writing data, the approval of a business manager is required for changing 10,000 data records or less, and the approval of a business manager and a DBA is required for changing more than 10,000 data records.
You want differentiated approval processes for granting permissions on databases. For example, no approval is required for granting permissions on databases in a test environment, and the approval of a business manager is required for granting permissions on databases in a production environment.

Create security rules

You can create multiple sets of security rules for databases in different environments.

  1. Log on to the DMS console V5.0.
  2. In the top navigation bar, click Security and Specifications. In the left-side navigation pane, click Security Rules.
    Note If you are using the previous version of the DMS console, move the pointer over the More icon in the top navigation bar and choose System > Security > Security Rules.
  3. In the upper-left corner of the Security Rules tab, click Create Rule Set.
  4. In the Create Rule Set dialog box, set the parameters. The following table describes the parameters.
    Parameter Description
    Engine Type The database engine for which you want to create a security rule set.
    Rule Set Name The name of the security rule set.
    Remarks The information about the security rule set for easy identification. For example, you can enter the applicable scope of the security rule set.
  5. Click Submit.

Configure security rules

On the Details page of a security rule set, you can modify the configurations of default security rules or create custom security rules based on your business requirements.

For example, you can disable the Whether the result set supports export rule on the SQL Console tab to forbid the export of query result sets on an SQLConsole tab of a database.

  1. Log on to the DMS console V5.0.
  2. In the top navigation bar, click Security and Specifications. In the left-side navigation pane, click Security Rules.
    Note If you are using the previous version of the DMS console, move the pointer over the More icon in the top navigation bar and choose System > Security > Security Rules.
  3. On the Security Rules tab, find the security rule set that you create and click Edit in the Actions column.
    Note For more information about how to create a security rule set, see Create security rules.
  4. In the left-side navigation pane of the Details page, click the tab on which you want to configure security rules.
  5. Configure security rules. DMS provides a large number of predefined configurations and rules for checkpoints. You can modify the configurations and change the state of rules based on your business requirements.
    Note When a task is submitted in DMS, DMS automatically checks the task against related rules configured for the corresponding checkpoints. The task is allowed to be executed only if the task is validated by all related security rules.
  6. Optional:Perform the following operations to create a custom security rule if the predefined configurations and rules cannot meet your requirements.
    1. Click Create Rule next to Actions.
    2. In the Create Rule dialog box, set the parameters and click Submit. The following table describes the parameters.
      Parameter Description
      Checkpoints The checkpoint for which you want to create the security rule.
      Note You cannot create security rules for the Basic Configuration Item checkpoint.
      Template Database Optional. The rule template based on which you want to create the security rule. You can click Load from Template Database to load a template as required.
      Rule Name The name of the security rule.
      Rule DSL The DSL statement for the security rule. For more information about the DSL syntax, see DSL syntax for security rules.
      • When you write the DSL statement, you can use the factors, actions, functions, and operators that are displayed on the right.
      • If you load a rule template, you can modify the DSL statement predefined in the template.
    3. Click the checkpoint that you specify for the created security rule. In the list that appears, find the security rule that you create and click Enable in the Actions column. In the Prompt message, click OK.
      Note By default, a rule is in the Disabled state after the rule is created.
Different tabs on the Details page of a security rule set display different checkpoints. For more information, see the following topics:

Apply security rules

You can use one of the following methods to apply a security rule to one or more database instances as required.

Method 1

  1. Log on to the DMS console V5.0.
  2. In the top navigation bar, click Data Assets. In the left-side navigation pane, click Instances.
  3. Click the Instance List tab.
  4. Select one or more instances and click Batch edit.
    Note The instances must run the same database engine.
  5. In the Edit instance information in batches dialog box, set the Control Mode parameter to Security Collaboration.
  6. Select the security rule that you want to apply to the instances from the Security Rules drop-down list and click OK.

Method 2

  1. Log on to the DMS console V5.0.
  2. In the left-side instance list, right-click the instance to which you want to apply a security rule.
  3. Choose Control Mode > Security Collaboration and select a security rule as required.
  4. In the Modify control mode message, click OK.