Strategy Template
Policy Template: When creating or editing policies under the path Ops Asset Control > Security Control > Policy Management, users can directly reference policy templates. This effectively reduces workload and operation time for administrators and enables rapid configuration of policy rules. Policy templates are available for all O&M asset repositories with the same database type.
Adding Policy Template
- Logging in to the Database Operations and Maintenance Management System using the sysadmin system administrator account.
- In the left navigation bar, select Rule Management> Strategy Template. The page displays policy template information by database type.
- The right side of the page defaults to the policy template under the first database type.
- Select one rule type from: Fuzzy Matching Desensitization, SQL Block, Row Access Control, SQL Replace, Table Name Replacement, or Access Audit.
- Click the Add Template button.
- Configure basic information of the policy template. Figure 1 Basic information
Table 1 Parameter escription for basic information of new policy template Parameter
Description
Template Name
Enter any character-based string for easy management and memorization. (Required)
Template Type
Including Fuzzy Matching Desensitization, SQL Block, Row Access Control, SQL Replace, Table Name Replacement, and Access Audit policy types. (Required)
Group by DB
Database type: Supported database types include, but are not limited to, MySQL, PostgreSQL, Oracle, DB2, SQL Server, MariaDB, Kingbase, Dameng, Greenplum and OpenGauss. (Required)
Template Description
Enter the descriptive information for the current rule.
- Condition information for the configuration policy template. Figure 2 onditional information
Table 2 Parameter escription for condition information of new policy template Parameter
Description
Operations and Maintenance User
Used to define the prevention and control scope for application users.
Operations and Maintenance Role
The role information defined in the User Management > System Roles feature allows each user to belong to one or more roles.
Organization.
The User Management > Company feature defines organizational information, and each user can belong to one organization.
Database User
Used to define the protection scope for database users.
Client IP
Define the range of IP addresses and determine the scope of security controls using various IP address operators such as equal to, includes, and excludes. It also supports direct reference to IP templates.
Client Hostname
Terminal host name (available for ORACLE, Dameng, and MS_SQLSERVER database types).
Client OS User
Client-side OS user (available when using the ORACLE database type).
Client Tools
The name of the client tool used by operations personnel to access data, such as WebSQL.
Impact Period
Effective time range of the current rule: Select Start Time - End Time.
- Configure matching information of the policy template.
- Template Type: Fuzzy Matching Desensitization. Figure 3 Matching nformation – Fuzzy Matching Desensitization
Table 3 Parameter escription for Fuzzy Matching Desensitization of new policy template Parameter
Description
Matching content
This option applies when you select Fuzzy Matching Desensitization under Template Type.
One type of matching condition. Matches SQL statements using regular expressions.
Enter a regular expression, for example: *. represents all SQL statements. select.* represents statements starting with select.
Column Masking
One type of matching condition. It matches schema names, table names and column names via regular expressions, and bulk-configures desensitization rules for dictionaries that meet the criteria by setting the data domain.
Displayed only when the rule type is set to Fuzzy Matching Desensitization.
Example:
- Schema name: .* .This is a regular expression for any pattern.
- Table name: .* .This is a regular expression applicable to any table.
- Column name: .*name.* .This is a regular expression that matches any field whose name contains the substring name.
- Template Type-SQL Block Figure 4 Matching Information-SQL Block
Table 4 Parameter escription for SQL Blocking of new policy template Parameter
Description
Matching Content
The Template Type option takes effect when SQL Block is selected.
Select the usage scenario for SQL matching.
One type of matching condition. Matches SQL statements using regular expressions.
Enter a regular expression, for example: .* represents all SQL statements. select .* represents statements starting with select.
- Template Type-Row Access Control Figure 5 Matching nformation-Row Access Control
Table 5 Parameter escription for Row Access Control of new policy template Parameter
Description
Accessible Number of Rows
The Template Type option takes effect when you select Row Access Control.
The number of rows returned to control data access. Must be entered as a numeric value.
- Template Type-SQL Replace Figure 6 Matching nformation-SQL Replace
Table 6 Parameter escription for SQL Replacement of new policy template Parameter
Description
Matching Content
The Template Type option takes effect when you select SQL Replace.
One type of matching condition. Matches SQL statements using regular expressions.
Enter a regular expression, for example: .* represents all SQL statements. select .* represents statements starting with select.
Replace SQL
Display when the rule type is SQL replacement type.
Enter an SQL statement here; the system will replace all SQL statements that meet this policy condition with this statement.
- Template Type-Table Name Replacement Figure 7 Matching nformation-Table Name Replacement
Table 7 Parameter escription for Table Name Replacement of new policy template Parameter
Description
Matching Content
The Template Type option takes effect when you select Table Name Replacement.
Select the usage scenario for SQL matching.
One type of matching condition. Matches SQL statements using regular expressions.
Enter a regular expression, for example: .* represents all SQL statements. select .* represents statements starting with select.
Replace Table
Display when the rule type is: Table Name Replacement Type.
Configure the original table name and the replaced table name.
You can replace table names for multiple tables simultaneously here.
- Template Type: Fuzzy Matching Desensitization.
- Configure response action information of the policy template. Figure 8 Response ction
Table 8 Parameter escription for response actions of new policy template Parameter
Description
Audit
By default, no audit is performed; you can choose Audit or Alarm Audit.
When auditing is enabled, record the user's data access behavior in the Policy Matching Audit if it meets the policy conditions.
When enabling alert auditing, the system records data access behaviors that meet policy conditions in the Policy Matching Audit. Additionally, email alerts are selected based on the alert method, and the alert information is sent to administrators via email. Recipients of these alerts are configured through the Data Specialist role in Operations Asset Control.
Alarm Method
Display when the Audit parameter is set to Alarm Audit.
You can choose email alert notification.
Configure the alert email server. See Alert Notification.
Control Action
Display when the rule type is SQL Block. The display tab is Block.
Block return messages
Display when the rule type is SQL Block. (Required)
The feature allows you to customize SQL blocking messages.
- Click OK.
Related Operations
Subsequently, you may perform the following operations on the Policy Template Management page as needed:
- Edit: Modify the policy template information to reset its basic settings. To modify the policy template, perform the following steps:
- Click the eye icon next to the database type name in the left tree.
- On the right side of the page, display the strategy template for the current database type. Click the Edit button.
- Modify the policy template information. The steps are similar to add strategy template.
- Click OK.
- Delete: To delete the policy template, perform the following steps:
- In the database type list on the left tree, select the database type to which the policy template you want to modify belongs.
- Click the eye icon next to the database type name.
- Display the policy template for the current database type on the right side of the page.
- To delete a policy template, select the template and click Delete.
- Deleting cannot be undone, are you sure?
- Click OK to delete the policy template.
Configure policy templates based on database type because the system uses modified access SQL. Database functions vary across different database types, so separate policy templates must be configured for each type.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot