Updated on 2025-04-29 GMT+08:00

Adding Data Assets

After data assets (databases) are added to the system, you can identify, encrypt, decrypt, and mask sensitive data in the databases.

This section uses the MySQL database as an example. Add data assets based on the site requirements.

Constraint

Table 1 Data sources and versions that can be managed by database encryption

Database

Version

MySQL

5.5, 5.6, 5.7, 8.0, 8.0.13+

Oracle

11.1, 11.2, 12c, 19c

SQLServer

2012, 2016

PostgreSQL

9.4, 11.5

DM

6, 7.6, 8.1

Kingbase

V8 R3, V8 R6

MariaDB

10.2

GaussDB

A

TDSQL

5.7

TBASE

V2.15.17.3

RDS_MYSQL

5.6, 5.7, 8.0

RDS_PostgreSQL

11

HotDB

2.5.6

HighGO

4.5

DWS

8.1

Table 2 Database account permissions for database encryption

Database

System Catalog Requiring the SELECT Permission

Database Account Permission

MySQL

mysql.user

performance_schema.*

select

insert

create

update

delete

drop

alter

index

RDS_MYSQL

mysql.user

performance_schema.*

select

insert

create

update

delete

drop

alter

index

TDSQL

mysql.user

performance_schema.*

select

insert

create

update

delete

drop

alter

index

MariaDB

mysql.user

performance_schema.*

select

insert

create

update

delete

drop

alter

index

DM

SYS.ALL_SUBPART_KEY_COLUMNS

SYS.ALL_USERS

SYS.ALL_CONS_COLUMNS

SYS.ALL_CONSTRAINTS

SYS.ALL_TABLES

SYS.ALL_TABLE_COLUMNS

SYS.ALL_COL_COMMENTS

SYS.ALL_PART_KEY_COLUMNS

SYS.ALL_IND_COLUMNS

SYS.ALL_INDEXS

V$VERSION

V$LOCK

SYS.DBMS_LOB

SYS.DBMS_METADATA

The user role must be dba.

postgreSQL

pg_catalog.pg_class

pg_catalog.pg_index

pg_catalog.pg_user

pg_catalog.pg_indexes

information_schema.columns

information_schema.sequences

information_schema.tables

pg_catalog.pg_sequence

The user must be the table owner or the dba role.

RDS_PostgreSQL

pg_catalog.pg_class

pg_catalog.pg_index

pg_catalog.pg_user

pg_catalog.pg_indexes

information_schema.columns

information_schema.sequences

information_schema.tables

pg_catalog.pg_sequence

The user must be the table owner or the dba role.

TBASE

pg_catalog.pg_class

pg_catalog.pg_index

pg_catalog.pg_user

pg_catalog.pg_indexes

information_schema.columns

information_schema.sequences

information_schema.tables

pg_catalog.pg_sequence

The user must be the table owner or the dba role.

GAUSSDB

pg_catalog.pg_class

pg_catalog.pg_index

pg_catalog.pg_user

pg_catalog.pg_indexes

information_schema.columns

information_schema.sequences

information_schema.tables

pg_catalog.pg_sequence

The user must be the table owner or the dba role.

Kingbase 8.6 (pg)

pg_catalog.pg_class

pg_catalog.pg_index

pg_catalog.pg_user

pg_catalog.pg_indexes

information_schema.columns

information_schema.sequences

information_schema.tables

pg_catalog.pg_sequence

pg_catalog.pg_matviews

The user must be the table owner or the dba role.

KINGBASE 8.3

sys_catalog.sys_class

sys_catalog.sys_index

sys_catalog.sys_user

sys_catalog.sys_indexes

information_schema.columns

information_schema.sequences

information_schema.tables

sys_catalog.sys_sequence

sys_catalog.sys_matviews

The user must be the table owner or the dba role.

Oracle

SYS.ALL_SUBPART_KEY_COLUMNS

SYS.DUAL

SYS.ALL_USERS

SYS.ALL_CONS_COLUMNS

SYS.ALL_CONSTRAINTS

SYS.ALL_TABLES

SYS.ALL_TABLE_COLUMNS

SYS.ALL_COL_COMMENTS

SYS.ALL_PART_KEY_COLUMNS

SYS.ALL_IND_COLUMNS

SYS.ALL_INDEXS

SYS.V_$INSTANCE

SYS.DBMS_LOB

SYS.DBMS_METADATA

DBA_TABLES

DBA_TAB_COLS

The user role must be dba.

SQLserver

sys.tables

sys.indexes

sys.index_columns

sys.default_constraints

sys.systypes

sys.extended_properties

sys.foreign_key_columns

sys.check_constraints

sys.foreign_keys

sys.columns

sys.objects

sys.all_columns

sys.types

sys.syslogins

sys.all_objects

sys.schemas

sys.key_constraints

sys.computed_columns

sys.triggers

sys.partition_schemes

sys.dm_sql_referencing_entities

schemaSelect

schemaInsert

schemaUpdate

schemaAlter

createTable

VIEW SERVER STATE

SELECT permission of the encrypted table

INSERT permission of the encrypted table

ALTER permission of the encrypted table

HighGO

pg_catalog.pg_class

pg_catalog.pg_index

pg_catalog.pg_user

pg_catalog.pg_indexes

information_schema.columns

information_schema.sequences

information_schema.tables

pg_catalog.pg_sequence

The user must be the table owner or the dba role.

DWS

pg_catalog.pg_class

pg_catalog.pg_index

pg_catalog.pg_user

pg_catalog.pg_indexes

information_schema.columns

information_schema.sequences

information_schema.tables

pg_catalog.pg_sequence

The user must be the table owner or the dba role.

Procedure

  1. Log in to a database encryption and access control instance as the sysadmin user.
  2. In the navigation pane, choose Assets Management > Data Source Management.
  3. Click Add Data Source in the upper right corner.
  4. In the Add Data Source dialog box, configure asset information. For details, see Table 3.

    Table 3 Parameters for adding a data source

    Parameter

    Description

    Database Information

    Data Source

    Customized data asset name.

    Data Source Type

    Select a database type from the drop-down list box. For details about supported database versions, see Constraint.

    Data Source Version

    Select a database version from the drop-down list box.

    Read/Write Separation/RAC

    If the database is deployed in read/write isolation mode, select this option and configure information about the secondary database node.

    Data Source Address

    IP address of the database.

    Data Source Port

    Connection port of the database.

    Proxy Address

    Select a proxy address from the drop-down list box, that is, the IP address for accessing and controlling the database.

    Proxy Port

    Set a proxy port. O&M personnel access the database through the proxy IP address and proxy port.

    • The value range is 1025 to 65535.
    • You can set any idle port within the range. Ports that have been used by other data assets cannot be used. For example, if data asset A uses port 14000, data asset B cannot use this port.

    You can click Auto Assign to let the system automatically assign idle proxy ports.

    Database/Instance/SID/Service/Schema

    Set the database, instance name, SID, service name, or schema.

    Database Account

    Database login user.

    Database Password

    Password for logging in to the database.

    Encryption Parameters

    Encryption Mode

    • Asset encryption mode. The options are as follows:
      • One Key Per Asset: The DEKs of assets are the same. Connection query and cross-database query are supported.
      • One Key Per Column: The DEKs of assets are different. Join query and cross-database query are not supported.

    Default Display without Permission

    • Set what is displayed to the users who do not have the permissions to access the database. The options are as follows:
      • Ciphertext: Ciphertext is displayed. The encoding format is Base64 or hexadecimal. For details, see Setting Encryption Parameters.
      • Default Data: Default data is displayed. You need to set the default data of the string type.
      • NULL: The content is blank.

    (Optional) Host Information

    After the monitoring threshold is configured, the system encrypts data in batches only within the monitoring threshold of the database server. If the resource usage exceeds the threshold, the system stops encrypting data to reduce the impact on services. You are advised to set the following parameters if possible.

    Host IP

    Host IP address.

    Host Port

    SSH service port of the host. The default SSH service port is 22.

    Username

    Username for logging in to the host.

    Password

    Password for logging in to the host.

    Character Set

    Character set used by the host, which is automatically obtained after the host is connected.

    Host Operating System

    Host OS, which is automatically obtained after the host is connected.

    Kernel

    Host kernel, which is automatically obtained after the host is connected.

    Monitoring Threshold

    Thresholds for host monitoring metrics (CPU, memory, I/O, and network). The system encrypts database data only within the threshold to reduce the impact on services.

    Log Information

    Database Log File Name

    Path and name of the database log file. Example: /usr/local/mysql/binlogs/mysql-bin.000060

  5. (Optional) After the configuration is complete, click Test Database Connection and check whether the database can be connected.
  6. (Optional) Click Test Account Permission to check whether the database account permission meets the encryption requirements.

    If the database account permission does not meet the encryption requirements, configure the database account permission by referring to Table 2.

  7. (Optional) If the host information is configured, click Test Host Connection. Check whether the host can be connected and whether its character set and OS can be automatically obtained.
  8. Click Save to save the data asset configuration.

    After the asset is added, you can view its information in the data source list, as shown in Figure 1.

    Figure 1 Data source list

  9. In the list, click to enable the database proxy.

    After this function is enabled, you can access the database through the proxy IP address and proxy port.

Related Operations

  • Click in the Policy Configuration column of the data source list. The encryption task configuration page is displayed. You are advised to identify sensitive data before configuring an encryption task. For details, see Scanning Sensitive Data in Assets.
  • Click in the Policy Configuration column of the data source list. The masking rule configuration page is displayed. You are advised to identify sensitive data before configuring a masking rule. For details, see Scanning Sensitive Data in Assets.
  • Click Edit in the Actions column of the data source list to modify data asset information.
  • Click Delete in the Actions column of the data source list to delete unnecessary data assets.

    If a message is displayed, indicating that the table structure of the current database is not rolled back, perform the operations in Rolling Back the Table Structure or Configuring a Decryption Task based on site requirements.