Updated on 2025-08-12 GMT+08:00

Policy Management

The administrator creates policies for database audit, watermarking, and static masking on the policy management page of the policy center, and then deploys these policies to the relevant services or instances.

Database Types and Versions That Support Database Encryption

Data Source Type

Version

MySQL

5.6, 5.7, 5.8, and 8.0

SQL Server

  • 2019_SE, 2019_EE, and 2019_WEB
  • 2017_SE, 2017_EE, and 2017_WEB
  • 2016_SE, 2016_EE, and 2016_WEB
  • 2014_SE and 2014_EE
  • 2012_SE, 2012_EE, and 2012_WEB
  • 2008_R2_EE and 2008_R2_WEB

Oracle

11 and 12

PostgreSQL

13, 12, 11, 10, 9.6, 9.5, and 9.4

Kingbase

V8

DMDBMS (Dameng)

7 and 8

TDSQL

10.3.X

DWS

8.1.X

Policy Types

  • Database audit: Monitor and records database activities to ensure data integrity, security, and compliance.
  • Database watermarking: Embed invisible identifiers into data to verify data authenticity and ownership and trace data leakage sources.
  • Static database masking: Mask sensitive data to ensure privacy and security while retaining the data structure and statistics features.

Creating a Policy

The following part describes how to create a policy.

Connect to the DBSS service to monitor and record database instances that do not require agent audits, ensuring data integrity, security, and compliance.

Prerequisites

DBSS has been enabled and an instance has been added.

  1. Log in to the DSC console.
  2. Click in the upper left corner and select a region or project.
  3. Choose Policy Center > Policy Management. The Policy Management page is displayed.
  4. Click Create Policy in the upper left corner. The Create Policy page is displayed.
  5. Select the Database audit policy type.
  6. Click Start configuring. The page for configuring the database audit policy type is displayed.
  7. Set the parameters by referring to Table 1.

    Table 1 Parameters for configuring a database audit policy

    Parameter

    Description

    Policy Name

    Enter a policy name. The name can contain a maximum of 255 characters, including letters, digits, underscores (_), and hyphens (-).

    Associated Instance

    Select a database audit instance from the drop-down list.

    Target Data Source

    Select the target data source from the drop-down list. Only database instances that do not require agent audit are supported.

    Display Result Set

    When the function for recording result sets is enabled, the system logs the SQL result content. You can view this content in the logs. If the function is disabled, the SQL result in the log details will be empty.

    Recording result sets may lead to information leakage. Therefore, it is recommended not to enable this function.

    Mask Privacy Data

    You are advised to set masking rules to prevent sensitive data leakage.

  8. Click Save and Deliver. The policy list is displayed, showing the newly created policy.

Embed invisible identifiers into data to verify data authenticity and ownership and trace data leakage sources.

  1. Log in to the DSC console.
  2. Click in the upper left corner and select a region or project.
  3. Choose Policy Center > Policy Management. The Policy Management page is displayed.
  4. Click Create Policy in the upper left corner. The Create Policy page is displayed.
  5. Select the Database Watermark policy type.
  6. Click Start configuring. On the Database Watermarking page that is displayed, create a watermark injection or watermark extraction task. For details, see Injecting or Extracting Database Watermarks.

Mask sensitive data to ensure privacy and security while retaining the data structure and statistics features.

  1. Log in to the DSC console.
  2. Click in the upper left corner and select a region or project.
  3. Choose Policy Center > Policy Management. The Policy Management page is displayed.
  4. Click Create Policy in the upper left corner. The Create Policy page is displayed.
  5. Select the Static database masking policy type.
  6. Click Start configuring. On the displayed data masking page, create a data masking task. For details, see Creating a Static Data Masking Task.

Mask sensitive data in real time to ensure that unauthorized data cannot be accessed.

Prerequisites

Sensitive data in the data source to be encrypted has been identified.

  1. Log in to the DSC console.
  2. Click in the upper left corner and select a region or project.
  3. Choose Policy Center > Policy Management.
  4. Click Create Policy in the upper left corner. The Create Policy page is displayed.
  5. Select the Dynamic database masking policy type.
  6. Click Start configuring. The page for configuring a dynamic database masking policy is displayed.
  7. Set the parameters by referring to Table 2.

    Table 2 Parameters for configuring a dynamic database masking policy

    Parameter

    Description

    Policy Name

    Enter a policy name. The name can contain only letters, digits, underscores (_), and hyphens (-).

    Associated Instance

    Database encryption gateway

    Target Data Source

    Select a target data source from the drop-down list box.

    Masking Service Port

    The port numbers range from 14000 to 14999. Different database instances (sharing the same address and port) utilize distinct proxy ports. A single database instance consistently uses the same proxy port. When a data source for the same database instance is added, the proxy port is automatically populated.

    Table

    Select a table from the drop-down list.

    Table Information

    This parameter is displayed after you select a table.

    Table information, including Field Name, Field Type, Data Level, and Masking Algorithm.

  8. Click Save and Deliver. The policy list is displayed, showing the newly created policy.

Related Operations

  • Disabling a policy: You can click Disable in the Operation column of a policy that is enabled and successfully delivered to disable the policy. After you click Disable, the policy status changes to Disabled (Delivering). When the policy status changes to Disabled (Delivered), the policy is disabled.

    After an encryption policy is enabled and delivered, it cannot be disabled or deleted. You can click Decrypt under Operation > More to decrypt the corresponding encryption policy. After decryption, a suffix is appended to the encryption policy name. A new decryption policy will not be generated.

  • Deleting a policy: Click Delete in the Operation column of a policy that is successfully delivered to delete the policy. After you click Delete, a message is displayed in the upper right corner of the page, indicating that the policy is successfully deleted.