All Products
Search

This Product

    Data Management:Row-level access control

    Document Center

    Data Management:Row-level access control

    Last Updated:Nov 15, 2024

    This topic describes how to implement row-level access control and apply for row permissions.

    Scenarios

    The row-level access control feature of Data Management (DMS) allows you to control the data rows that are available to specific employees by using one or multiple values of the control field.

    • For example, if you want your employees to only view data of the regions for which they are responsible, you can use the row-level access control feature of DMS.

    • If you have multiple tables in a database that each require row-level access control by using the same control value, you can use a control group to implement row-level access control on multiple tables.

    Prerequisites

    • The database instance is managed in the Security Collaboration mode. For more information, see Control modes.

    • You are a database administrator (DBA), a DMS administrator, or a security administrator. For more information, see View system roles.

    • The database is a relational database, such as an ApsaraDB RDS for MySQL, ApsaraDB RDS for PostgreSQL, or PolarDB for MySQL database.

      Note

      Only physical databases are supported.

    Procedure

    In the following example, a production database named poc_prod is used.

    Step 1: Add row-level access control

    1. Log on to the DMS console V5.0.

    2. Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All functions > Security and Specifications > Sensitive Data > Sensitive Data Assets.

      Note

      If you use the DMS console in normal mode, choose Security and Specifications > Sensitive Data > Sensitive Data Assets in the top navigation bar.

    3. In the upper-right corner of the page, click Global Sensitive Data and go to the row control tab.

      Note

      You can also go to the row control page by clicking Sensitive Data List on the Enabled tab of the Instance List section.

    4. Create a control group.

      On the Row Control tab, click Create Control Group and enter the control group name.

    5. Add row configuration.

      1. Click Add Row Configuration.

      2. The database on which you want to perform row-level access control. Select the database from the Database drop-down list. You can also enter a keyword to search for the database.

      3. Select the table on which you want to configure row-level access control and the control field.

        Note

        A table can be specified in a control group for only once. Only one control field can be specified for a table.

      4. Click Add.

    6. Add control values.

      1. Click Details to the right of the control group.

      2. On the page that appears, click Add Row Value and set the following parameters:

        Parameter

        Description

        Append ?

        Valid values:

        • Yes: New values are added to the existing values.

        • No: Existing values are replaced with new values.

        Row Value Content

        The values to be managed. You can add multiple values at a time. Separate multiple values with commas (,).

      3. Click Import.

        If the row values are imported, a message is displayed in the upper part of the page.

    Step 2: Apply for row permissions

    All users, including DMS administrators and DBAs, must apply for permissions on specific rows before they can query the data of the rows.

    1. Log on to the DMS console V5.0.

    2. Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All functions > Security and Specifications > Permission Center > Permission Tickets.

      Note

      If you use the DMS console in normal mode, choose Security and Specifications > Permission Center > Permission Tickets in the top navigation bar.

    3. On the Access applyTickets page, choose Access apply > Row Permission.

    4. Select the target row and click Add.The row appears in the Selected Databases/Tables/Columns section.

    5. In the Select Permission section, select Query and specify Duration and Reason.

    6. After you configure the parameters, click Submit. Wait for approval, after which the controlled data can be queried on the SQL Console tab.

      Note

      After the ticket is submitted, wait for approval. You can view the status of the ticket in the My Tickets section of the Workbench tab.

    More

    • Delete row-level control group: On the row-level control tab, you can delete the control group. After the control group is deleted, the row-level control configuration becomes ineffective.

    • Edit row-level control group: On the row-level control tab, you can modify the configurations such as the control group name and the configured control field.

    FAQ

    Q: Why does executing a query on the SQL Console tab fail even though I am granted the query permissions on the control rows?

    A: Perform the following steps to troubleshoot:

    1. Make sure you have the query permissions on the destination database and table. For more information about the specific procedure, see Step 2: Apply for row permissions.

    2. Use SQL statements with WHERE conditions on the SQL Console tab to query the controlled data rows.

      For example, if the controlled field is "buyer_name" and the controlled row values are "name1", "name2", and "name3", and you have the query permissions for the database and the dms_test table, you can query the controlled data rows by executing the following statement on the SQL Console tab.

      • To query the data row that contains a single controlled value, use = and IN in the WHERE clause of the SQL statement. Sample SQL statements:

        SELECT * FROM dms_test WHERE buyer_name ='name1';

      • To query the data rows that contain multiple controlled values, use IN in the WHERE clause. Sample SQL statements:

        SELECT * FROM dms_test WHERE buyer_name IN ('name1', 'name2','name3');