All Products
Search
Document Center

Data Management:Data export

最終更新日:Nov 15, 2024

Data Management (DMS) allows you to manage security rules on the Data Export tab to validate the permissions of data export applicants on the databases, tables, sensitive fields, and rows involved in data export operations after the applicants submit data export tickets. This helps ensure data security.

Prerequisites

You are a DMS administrator, DBA, or security administrator. For more information about how to view the system roles of users, see View system roles.

Precautions

You can set approval processes only for instances whose control mode is Security Collaboration. For more information, see Modify the default approval template.

Basic configuration items

You can configure approval processes for data export tickets at different risk levels under the approval rule validation checkpoint. If you do not configure an approval process, the default approval template is used. You can change the approval process of the default approval template by clicking Switch Approval Template. For more information, see Modify the default approval template.

Checkpoints

  • Approval Rule Validation: Allows you to submit data export tickets to different approval processes by configuring security rules. For example, tickets for exporting more than a certain number of data rows are submitted to one approval process and other tickets are submitted to another approval process. You can also use the Default approval template for data export under Basic Configuration Item. For more information, see Create a rule.

  • Pre-check Validation: Allows you to configure custom security rules to specify whether to validate the permissions of applicants on involved databases, tables, sensitive fields, and rows. You can also use the Default approval template for data export under Basic Configuration Item. For more information, see Create a rule.

Factors and actions

  • Factors

    A factor is a predefined variable in DMS. You can use factors to obtain the context to be validated by security rules. The context includes SQL statement categories and the number of rows to be affected. A factor name consists of the prefix @fac. and the display name of the factor. Each module of the Security Rules tab provides different factors for different checkpoints. The following table describes the factors provided for the checkpoints in Data Export.

    @fac.env_type

    The type of the environment. The value is the display name of the environment type, such as DEV or PRODUCT. For information about more environment types, see Environment types.

    @fac.is_ignore_export_rows_check

    A Boolean value that indicates whether to skip the check on the number of rows to be affected.

    @fac.export_rows

    The number of rows to be exported.

    @fac.include_sec_columns

    A Boolean value that indicates whether the data to be exported contains sensitive fields.

    @fac.sec_columns_list

    The sensitive fields contained in the data to be exported. The fields are listed in the format of table name.field name, [table name.field name, ...].

    @fac.user_is_admin

    A Boolean value that indicates whether the applicant is a DMS administrator.

    @fac.user_is_dba

    A Boolean value that indicates whether the applicant is a DBA.

    @fac.user_is_inst_dba

    A Boolean value that indicates whether the applicant is the DBA of the current instance.

    @fac.user_is_sec_admin

    A Boolean value that indicates whether the applicant is a security administrator.

  • Actions

    An action in a security rule is an operation that DMS performs when the IF condition in the rule is met. For example, DMS can forbid the submission of a ticket, select an approval process, approve a ticket, or reject a ticket. An action in a security rule shows the purpose of the security rule. An action name consists of the prefix @act. and the display name of the action. Each module of the Security Rules tab provides different actions for different checkpoints. The following table describes the actions provided for the checkpoints in Data Export.

    @act.do_not_approve

    Allows a ticket to be processed without approval.

    @act.choose_approve_template

    Specifies an approval template.

    @act.choose_approve_template_with_reason

    Specifies an approval template and provides the reason.

    @act.forbid_submit_order

    Forbids the submission of the ticket.

    @act.enable_check_permission

    Validates the permissions of the applicant on involved databases and tables.

    @act.disable_check_permission

    Does not validate the permissions of the applicant on involved databases and tables.

    @act.enable_check_sec_column

    Validates the permissions of the applicant on involved sensitive fields.

    @act.disable_check_sec_column

    Does not validate the permissions of the applicant on involved sensitive fields.

Modify the default approval template

  1. Log on to the DMS console V5.0.
  2. Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All functions > Security and Specifications > Security Rules.

    Note

    If you use the DMS console in normal mode, choose Security and Specifications > Security Rules in the top navigation bar.

  3. Find the rule set you want to manage, and click Edit in the Actions column.

  4. In the left-side navigation pane of the Details page, click Data Export.

  5. Select Basic Configuration Item for Checkpoints.

  6. Find the Default Approval template for Data Export rule and click Edit in the Actions column.

  7. In the Change Configuration Item dialog box, click Switch Approval Template.

  8. Find the target template, click Select in the Actions column.

    Note

    You can also click Reset to Free of Approval to skip the approval for tickets.

  9. Click Submit.

Create a rule

  1. Log on to the DMS console V5.0.
  2. Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All functions > Security and Specifications > Security Rules.

    Note

    If you use the DMS console in normal mode, choose Security and Specifications > Security Rules in the top navigation bar.

  3. Find the target security rule set, click Edit in the Actions column.

  4. In the left-side navigation pane of the Details page, click Data Export.

  5. Select Basic Configuration Item for Checkpoints.

  6. Click Create Rule.

  7. In the Create Rule - Data Export dialog box, configure the following parameters:

    Configuration item

    Required

    Description

    Checkpoints

    Yes

    The checkpoint under which you want to create the security rule. The following two checkpoints are provided in Data Export:

    • Pre-check Validation

    • Approval Rule Validation

    Template Database

    Yes

    The template that you want to use to create the security rule. DMS provides a large number of security rule templates. After you select a checkpoint, click Load from Template Database and select a template. The template database provides the following templates:

    • Pre-check Validation: Control database table permission verification, Control sensitive column permission verification, and Control row permission verification.

    • Approval Rule Validation: No approval, Default approval definition, and Set up an approval process involving export of highly sensitive fields.

    Rule Name

    Yes

    The name of the custom security rule.

    Note

    If you load a rule template from Template Database, the rule name is automatically entered.

    Rule DSL

    Yes

    The DSL statement for the security rule. For more information about the DSL syntax, see DSL syntax for security rules.

    • When you write the DSL statement, you can use the factors, actions, functions, and operators that are displayed on the right.

    • If you load a rule template, you can modify the predefined DSL statement included in the template.

  8. Click Submit.

    Note

    The new rule is Disabled by default. On the current page, select the corresponding checkpoint, find the new rule, click Enable in the Actions column, and click OK. Then, the new rule is enabled.