DocsICP FilingConsole
官方文档
首页

Manage security rules

更新时间:
复制 MD 格式
产品详情
我的收藏

Security rules in Data Management (DMS) enforce fine-grained database governance through rule sets written in a domain-specific language (DSL). Use them to control queries, exports, data changes, approvals, and development workflows across your database instances.

Prerequisites

  • Your role is DMS administrator or DBA. To verify your role, see View system roles.

  • The target database instance uses Security Collaboration mode.

    Note

    Instances in Flexible Management or Stable Change mode support only default security rules.

Scenarios

Goal

How rules help

Replace email and IM-based change requests with online workflows

Unify R&D processes, standards, and approvals for collaborative online database management

Keep schemas consistent across dev, test, staging, and production environments

Enforce schema design standards

Block high-risk SQL statements

Apply tiered approval for data changes

Apply tiered approval for permission grants

Navigate to the security rules page

  1. Log on to the DMS console V5.0.

  2. Open the Security Rules page:

    • Compact mode: Hover over the icon in the upper-left corner and choose All functions > Security and Specifications > Security Rules.

    • Normal mode: In the top navigation bar, choose Security and Specifications > Security Rules.

Step 1: Create a rule set

Create separate rule sets to apply different security policies by database engine and environment.

  1. Log in to DMS 5.0.

  2. Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > Security and disaster recovery (DBS) > Security Rules.

    Note

    If you use the DMS console in normal mode, choose Security and disaster recovery (DBS) > Security Rules in the top navigation bar.

  3. On the Security Rules page, click Create Rule Set in the upper-left corner.

  4. Configure the rule set:

    Parameter

    Description

    Engine Type

    The database engine for this rule set.

    Rule Set Name

    A descriptive name for the rule set.

    Remarks

    The intended scope, such as the target environment.

  5. Click Submit.

Step 2: Configure rules in a rule set

Open a rule set's Details page to modify default rules or add custom rules for specific checkpoints.

For example, disable the Whether the result set supports export rule on the SQL Console tab to block result set exports.

Note

When a task is submitted, DMS validates it against all rules for the corresponding checkpoints. The task runs only after passing all validations.

Edit predefined rules

  1. Log in to DMS 5.0.

  2. Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > Security and disaster recovery (DBS) > Security Rules.

    Note

    If you use the DMS console in normal mode, choose Security and disaster recovery (DBS) > Security Rules in the top navigation bar.

  3. On the Security Rules page, find the target rule set and click Edit in the Actions column.

    Note

    To create a rule set, see Create security rules.

  4. In the left-side navigation pane of the Details page, select a checkpoint tab.

  5. Modify predefined configurations and toggle rule states as needed.

Create a custom rule

Create a custom rule when predefined rules do not meet your requirements.

  1. On the Details page of the rule set, click Create Rule next to Actions.

  2. Set the following parameters:

    Parameter

    Description

    Checkpoints

    The checkpoint this rule applies to.

    Note

    You cannot add rules to the Basic Configuration Item checkpoint.

    Template Database

    Optional. Click Load from Template Database to load a pre-built DSL template that you can modify.

    Rule Name

    A descriptive name for the rule.

    Rule DSL

    The DSL statement that defines the rule logic. Use the factors, actions, functions, and operators listed in the editor. For DSL syntax, see DSL syntax for security rules.

  3. Click Submit.

  4. Navigate to the checkpoint tab, find the new rule, and click Enable in the Actions column. In the Prompt dialog, click OK.

    Note

    Newly created rules default to Disabled. You must enable them manually.

Checkpoint reference

Each tab on the rule set Details page corresponds to a checkpoint.

Checkpoint Documentation
SQL Console for relational databases SQL Console for relational databases
SQL Console for MongoDB SQL Console for MongoDB
SQL Console for Redis SQL Console for Redis
SQL Correct SQL Correct
Permission application Permission application
Data Export Data Export
Schema Design Schema Design
Synchronize databases and tables Synchronize databases and tables
Data Tracking Data Tracking
Sensitive Column Change Sensitive Column Change
Test Data Generate Test Data Generate
Database Clone Database Clone

Step 3: Apply a rule set to instances

After configuring a rule set, apply it to database instances using either of the following methods.

Batch apply (recommended)

Apply the same rule set to multiple instances at once.

  1. Log in to DMS 5.0.

  2. In the top navigation bar, click Data Assets. In the left-side navigation pane, click Instances.

  3. Click the Instance List tab.

  4. Select one or more instances and click Batch edit.

    Note

    All selected instances must share the same database engine.

  5. In the Edit instance information in batches dialog, set Control Mode to Security Collaboration.

  6. Select a rule set from the Security Rules drop-down list and click OK.

Apply to a single instance

  1. Log in to DMS 5.0.

  2. In the left-side instance list, right-click the target instance.

  3. Choose Control Mode > Security Collaboration and select a security rule set.

  4. In the Modify control mode dialog, click OK.