Updated on 2024-09-24 GMT+08:00

Creating a Database Rule

Database rules are used to intercept sensitive database session operations, implementing fine-grained control over database operations. When an authorized system user logs in to a database related to a database rule, their sensitive operations will be intercepted once the database rule is triggered.

With database rules, you can:

  • Sort command rules by priority. The rule in the upper position has the higher priority than the ones in a lower position.
  • Configure four command execution actions, including permitting, rejecting, requiring dynamic approval, and disconnecting the connection.
    • Permit: By default, all operations are allowed. After a database rule is triggered, operations in the related regulation set are allowed.
    • Reject: After a database rule is triggered, the system rejects to execute the operation and displays a message indicating that the operation has been intercepted.
    • Disconnect: After a database rule is triggered, the system rejects to execute the operation and disconnects the O&M session. The system displays a message indicating that the connection is forcibly disconnected by the administrator.
    • Dynamic approval: After a database rule is triggered, the system rejects to execute the operation. The system displays a message indicating that the operation has been intercepted and asking you to submit a database approval ticket. A database approval ticket is automatically generated. The command can be executed only after the ticket is submitted and approved.

Constraints

  • The database operation audit is available only in professional editions.
  • Database rules apply only to MySQL, Oracle, PostgreSQL, and GaussDB databases for fine-grained permission control.

Prerequisites

You have the operation permissions for the DB Rules module.

Creating a Database Rule

  1. Log in to your bastion host.
  2. Choose Policy > DB Rules > DB Rules.
  3. In the upper right corner of the page, click New.

    You can also select a database rule and choose More > Insert to create a database rule. After the configuration is complete, a new rule is created.

  4. Configure the basic information.

    Table 1 Basic information parameters

    Parameter

    Description

    Rule Name

    Name of the database rule. The rule name must be unique in a bastion host.

    Action

    Action executed by the rule.

    The options are Disconnect, Reject command, Dynamic approval, and Permit.

    • Disconnect: When a database rule is triggered, the system automatically disconnects the session.
    • Reject command: When a database rule is triggered, the system directly rejects the command.
    • Dynamic approval: When a database rule is triggered, the system directly rejects the command and requires an approval from the administrator. To continue the execution of the command, the system user needs to submit a ticket to the administrator for approval.
    • Permit: When a database rule is triggered, the system allows the database operation commands to be executed.

    Period of validity

    Effective time and expiration time of the rule

    Time Limit

    Validity period of a rule

  5. Click Next and start to relate the command rule to a rule set.

    Select a rule set. For details about command sets, see Managing Database Rule Sets.

  6. Click Next and start to relate the database rule to one or more users or user groups.

    After a user group is related to a command rule, users automatically obtain the permissions of the command rule the instant they are added to the user group.

  7. Click Next and start to relate the database rule to one or more accounts or account groups.

    After a database rule is related to an account group, accounts automatically obtain the permissions of the database rule the instant they are added to the account group.

  8. Click OK. You can then view the created rule in the rule list.

    During O&M, when a command rule is triggered, the system executes configured actions accordingly.

    Users in the Relate User and Relate User Group panes must have a role that has database ticket approval permissions assigned to them. Otherwise, users cannot view the database approval ticket module or submit a ticket to obtain required permissions.

Follow-up Operations

In your bastion host, you can manage all database rules on the rule list page, including managing related users or resources, deleting, enabling, or disabling one or more command rules, and sorting command rules by priority.

  • To quickly relate a command rule to more users, user groups, accounts, or account groups, select the rule and click Relate in the Operation column.
  • To delete a command rule, select the rule and click Delete in the Operation column.
  • To disable command rules, select the ones you want to disable and click Disable at the bottom of the list. When the status of those rules changes to Disabled, they become invalid.
  • To change the priority of a command rule, select the rule and drag and drop it to an upper or lower position.