Updated on 2026-07-07 GMT+08:00

Security Control-Policy Management

  • The primary granularity can be refined to users, roles, IPs, hosts, time, and more.
  • The object granularity can be set for rows, columns, and other properties.
  • The granularity of operations can range from basic actions and SQL statements to blocking and substitution.
  • All access actions are audited.
  • Policy management supports comprehensive security policy configurations, including Field Desensitization, Fuzzy Matching Desensitization, SQL Block, Row Access Control, SQL Replace, Table Name Replacement, Black and White List, and Access Audit policies. The key policy features are summarized below:
    • Field Desensitization: Configure dynamic desensitization rules for table columns in databases. Users can automatically generate field desensitization rules based on discovery versions saved from finished discovery tasks, or manually configure dynamic desensitization rules.
    • Fuzzy Matching Desensitization: This function supports fuzzy matching desensitization. By configuring regular expression conditions, users can bind default desensitization rules of specified data domains to eligible schema names, table names and column names.
    • SQL Block: It provides control policies for DML, DCL and DDL. It supports control policies for DML statements such as Update, Insert, Delete and Truncate; control policies for DCL statements including Grant and Revoke, as well as high-risk blocking policies for DDL statements like Create and Alter. Custom blocking messages can be returned as required.
    • Row Access Control: This policy ensures data security at the row level. First, it controls the number of rows returned; second, it automatically filters rows that meet high-risk condition restrictions.
    • SQL Replace: It delivers the security control capability of SQL replacement. When O&M personnel execute high-risk database operations, the original SQL will be replaced with preset low-risk SQL to reduce access risks.
    • Table Name Replacement: It supports table name replacement for security control. When O&M staff conduct specific operations on high-risk tables, the accessed table name will be replaced with a specified alternative name to lower access risks.
    • Black and White List: It supports allowlist and blocklist policies based on time, IP addresses, database accounts, O&M accounts and more. Policy execution logic: access failing to satisfy allowlist rules will be blocked directly; access compliant with allowlist is still restricted by other policies; all access matching blocklist rules will be blocked immediately.
    • Access Audit: It supports independent policy auditing for access behaviors of specified users. After the user meets access requirements, all their access activities will be recorded into policy matching audit logs for auditors' review.

Prerequisites

Before configuring policies for O&M users, O&M roles and company, users need to complete relevant configuration in User Management > Platform Users, User Management > System Roles and User Management > Company in advance.

When selecting a policy template, users shall first configure the policy template of the required policy type under Rule Management > Desensitization Rules and Strategy Template.

Adding a New Policy

  1. Logging in to the Database Operations and Maintenance Management System using the sysadmin system administrator account.
  2. In the left navigation bar, select Ops Asset Management > Ops Asset Control, and the asset control list is displayed on the page.
  3. Select an Ops Asset Control entry and click the Config button to open a new browser tab.
  4. Select Security Control > Policy Management, and the pending approval list appears on the page.
  5. Click New, then select the policy type from the drop-down list.

    Figure 1 Policy anagement

  6. Fill in basic policy information, condition information, matching information (available for partial policies), response actions and other contents.

    You may also select a rule template to directly import data from the template for subsequent configuration. Refer to Strategy Template.
    Figure 2 Adding a ew policy
    Table 1 Basic nformation description

    Parameter

    Description

    Basic Information

    Policy Name

    Input any string starting with a character for convenient management and identification. (Required)

    Policy Template

    Rule templates created under Rule Management > Desensitization Rules to facilitate rapid policy configuration.

    Not available if the newly created policy type is Field Desensitization or Black and White List.

    Policy Type

    Select the type of allowlist or blocklist. Displayed only when the newly added type is Black and White List.

    • whitelist.
    • Blacklist.

    Policy Description

    Enter the descriptive information for the current rule.

    Conditional Information

    Operations and Maintenance User

    Used to define the prevention and control scope for application users.

    Operations and Maintenance Role

    User Management-Role Information: Definition of system role functions. Each user can belong to one or more roles.

    Organization

    Organization information configured under User Management > Company; each user belongs to one organization only.

    Database User

    Used to define the access control scope of database user.

    Client IP

    Used to define the range of IP addresses. The security control scope is determined via various IP operators including Equal To, Contains and Does Not Contain. Direct reference of IP templates is also supported.

    Client Hostname

    Terminal host name (Available for Oracle, Dameng and MS SQL Server databases only).

    Client OS User

    Client operating system user (Available for Oracle databases only).

    Client Tools

    Name of client tools adopted by O&M personnel to access data, such as WebSQL.

    Impact Period

    Valid time range of the current rule; select the start time and end time.

    Matching Information

    Matching content (Required)

    One type of matching condition. It matches SQL statements via regular expressions.

    Displayed only when the rule type is Fuzzy Matching Desensitization, SQL Block, SQL Replace or Table Name Replacement.

    Fill in regular expressions. For example: .* stands for all SQL statements; select.* matches all statements starting with select.

    Column Masking (Required)

    One type of matching condition. It matches schema names, table names and column names with regular expressions, and configures desensitization rules in batches for qualified fields by setting data domains.

    Displayed only when the rule type is Fuzzy Matching Desensitization.

    Examples:

    Schema name: *. This is a regular expression for any pattern.

    Table name: *. This is a regular expression applicable to any table.

    Column name: *.name.* is a regular expression that identifies fields where the field name contains NAME.

    Accessible Number of Rows

    Displayed only when the rule type is Row Access Control.

    Used to limit the maximum number of data rows returned upon access. Numeric input is mandatory.

    Disabled Access Condition

    Displayed only when the rule type is Row Access Control.

    Used to restrict query, update and delete operations on rows that meet specified criteria.

    Multiple conditions can be configured within a single policy.

    Replace SQL(Required)

    Displayed if the rule type is SQL Replace.

    Input an SQL statement here. All SQL satisfying the policy conditions will be replaced with this statement by the system.

    Replace Table

    Displayed if the rule type is Table Name Replacement.

    Configure the original table name and target replacement table name.

    Table name replacement for multiple tables can be set simultaneously.

    Response Action

    Audit

    The default setting is No Audit; available options include Audit and Alarm Audit.

    If Audit is enabled: all user data access activities matching policy conditions will be recorded into the policy matching log.

    If Alert Audit is enabled: matching access behaviors will be logged to the Policy Matching Audit. Meanwhile, alert notifications will be sent to administrators via email per selected alert mode. Recipients are configured as Data Specialists under O&M Asset Control.

    Alarm Type

    Displayed when Alarm Audit is selected for the Audit option.

    Email alert is available for selection.

    Refer to Alert Notification.

    Control Action

    Displayed under the Block tab when the rule type is SQL Block.

    Block return messages (Required)

    Displayed when the rule type is SQL Block.

    This function supports customized prompt messages for blocked SQL requests.

  7. Click OK. A newly created policy appears at the bottom of the policy list on the right (Blacklist and whitelist policies are placed before all other policies).

Related Operations

You can then perform the following actions on the Strategy Management List page as needed:

  • Edit Policy: Select a policy from the policy list to view its preview information on the right of the page. Click the Edit button at the bottom to modify rule details. After finishing modifications, click OK to save the policy. Click the button beside the policy list name to make the changes officially effective.
  • Delete Policy: Click the trash-shaped delete icon beside the policy name to remove the corresponding policy. A secondary confirmation is required to avoid erroneous manual deletion.
  • Policy Sorting: Policies are executed in top-to-bottom order. To adjust the execution sequence, left-click and hold a target policy, drag it up or down to the desired position, then release the mouse. The new sorting takes effect immediately.
  • Policy Enable/Disable: Rules of newly created policies are disabled by default. Click the button after the policy name to enable the policy, or click the same button to temporarily disable it without deleting the policy. Any enable or disable modification shall take effect only after clicking the OK button to avoid misoperation. The red icon means disabled status (click to enable), while the green icon means enabled status (click to disable).
  • Quick Search: Two filtering options are available above the policy list: a drop-down selector for policy type and fuzzy search by policy name. These two filters enable quick location of target security policies by type or name.
  • The Black and White List strategy has the highest priority, so it cannot be reordered by dragging downward.
  • You can freely drag and drop between other strategies to switch and sort them.

Creating a Policy Scenario

Click the New and select the policy rule type.

  1. Field Desensitization: Configure desensitization rules for specified table fields, or use the discovery task. Manually select and apply the version results confirmed by the discovery task. Automatically configure desensitization rules for table fields in batches.
    1. Step 1: Enter the field rule name, remarks, and condition information. Click Next.
    2. Step 2: Go to the field desensitization rule configuration page.
    3. First select the SCHEMA range for which you want to configure the desensitization rules.
    4. Click the Query button, and the table information for this Schema will be displayed below.
    5. When you create a table, the field desensitization rules are automatically applied based on the version saved in the discovery task results. You can also manually configure the field desensitization rules.
    6. After completing the configuration, click OK to save the field rule.
    7. Click the button behind the policy name to activate the newly configured policy.
    8. Upon completion, when the database client accesses the data, the policy can be triggered if the condition is met (the specified field data in the returned result will be anonymized).
  2. Fuzzy Matching Desensitization: You can configure desensitization rules for fields in batches. The desensitization rule is triggered when the subject information matches the specified criteria.
    1. A desensitization rule specifies the database user, the matching content, and the specific fields from which schema tables to be desensitized according to predefined rules.
    2. Click OK after configuration, then click the button behind the policy name to activate the newly configured policy.
    3. Upon completion, when the database client accesses the data, the policy can be triggered if the condition is met (the specified field data in the returned result will be anonymized).
  3. SQL Block: The blocking rule is triggered when the subject information and matching information are satisfied.
    1. Create a blocking rule, add a database user, and specify the matching content and blocking message.
    2. Click OK after configuration, then click the button behind the policy name to activate the newly configured policy.
    3. Upon completion, when the database client accesses the data, the policy can be triggered if the condition is met (block and return a blocking message).
  4. Row Access Control: Control which rows of data are not accessible. The row access control rule is triggered when the subject information and matching information are satisfied.
    1. Access control rules allow you to restrict a user from accessing row data with specified field values.
    2. Click OK after configuration, then click the button behind the policy name to activate the newly configured policy.
    3. Upon completion, when the database client accesses the data, if the condition is met, the policy can be triggered (the row containing the specified field data in the returned result will not be queried).
  5. SQL Replace: The SQL replacement rule is triggered when the subject information and matching information are satisfied.
    1. Create a new SQL substitution rule, add a database user, and specify the matching content and the replacement SQL statement.
    2. Click OK after configuration, then click the button behind the policy name to activate the newly configured policy.
    3. Upon completion, when the database client accesses the data, the policy can be triggered if the condition is met (returning the replaced SQL execution result).
  6. Table Name Replacement: The table replacement rule is triggered when the subject information and matching information are satisfied.
    1. Create a table replacement rule, adding the database user, the matching content, and the names of the original and replaced tables.
    2. Click OK after configuration, then click the button behind the policy name to activate the newly configured policy.
    3. Upon completion, when the database client accesses the data, the policy can be triggered if the condition is met (the table name in SQL will be replaced and executed).
  7. Black and White List: You can specify the scope of whitelists and blacklists for the operations asset control database.
    1. The whitelist defines the scope of access permitted by the operational asset control database, but it is subject to other rules.
    2. The blacklist represents an restricted access scope that is unaffected by any rules. Entities listed on the blacklist cannot access operational asset controls.
    3. Click OK after configuration, then click the button behind the policy name to activate the newly configured policy.
    4. Once completed, when the database client accesses the data, the policy can be triggered if the condition is met.
  8. Access Audit: You can audit access records for specified user subject information.
    1. Click OK after configuration, then click the button behind the policy name to activate the newly configured policy.
    2. Upon completion, when the database client accesses data, the policy can be triggered if the condition is met (the users access information will be recorded in the rule audit log).