Updated on 2026-07-07 GMT+08:00

Example of data anonymization policy configuration

Sensitive data is displayed in desensitized form upon access to protect data security.

Adding a custom policy

  1. Logging in to the Database Operations and Maintenance Management System using the sysadmin system administrator account.
  2. Select Ops Asset Management > Ops Asset Control in the left navigation bar, pick an asset control item and click the Config button to open a new browser page.

    Figure 1 Operation and maintenance asset control

  3. Select Security Control > Policy Management, and the page displays the pending list.
  4. Click New, then select the policy type Fuzzy Matching Desensitization from the drop-down menu. Refer to Table 1 for parameter descriptions of data desensitization policy configuration.

    Figure 2 Policy management
    Table 1 Table1 Data anonymization strategy configuration parameter description

    Parameter

    Description

    Basic Information

    Policy Name

    The name of this policy. (Required)

    Policy Template

    Select the previously configured policy template for quick filling.

    Policy Description

    Information on the usage scenarios and applicable situations of this strategy

    Conditional Information

    Operations and Maintenance User

    Used to define the prevention and control scope for application users.

    Operations and Maintenance Role

    User Management-Role Information: Definition of system role functions. Each user can belong to one or more roles.

    Organization

    User Management-Organization: The organization information defined in the organization function allows each user to belong to one organization.

    Database User

    Used to define the protection scope for database users.

    Client IP

    Define the range of IP addresses and determine the scope of security controls using various IP address operators such as equal to, includes, and excludes. It also supports direct reference to IP templates.

    Client Tools

    The name of the client tool used by operations personnel to access data, such as WebSQL.

    Impact Period

    Select the start and end times for the current rules effective period.

    Matching Information

    Matching Content

    Regular expression for matching SQL.

    Schema Name

    Belongs to column desensitization. Filter condition for the schema name, regular expression.

    Table Name

    Belongs to column desensitization. Filter condition for table names: regular expression.

    Column name

    Belongs to column desensitization. Filter conditions listed, regular expressions.

    Data Domain

    Belongs to the desensitization subitem. Columns that meet the conditions are desensitized according to the corresponding data field rules.

    Response Action

    Audit

    Configure whether auditing and alerts are enabled. Enabling auditing will record logs, which can be viewed by the audit administrator.

    • Alarm Audit
    • Audit
    • No Audit

    Alarm Type

    Display this parameter when the Audit option is set to Alarm Audit.

    When configuring alarm auditing, you can select an alarm email address (selected from the data specialist in the current controlled asset database). An alarm email will be sent to the specified email address when the policy is triggered.

  5. Fill in basic policy information, condition information, matching information (only applicable to certain policies), response actions and other relevant items.

    The basic information includes policy name, policy template, and policy description. The policy template allows selection of pre-created templates for quick policy information filling. Condition information comprises operations user, operations role, organizational unit, database user, client IP, client tool, and affected time period. Logical AND/OR relationships between conditions enable flexible condition control. Matching information includes matching content (entering regular expressions for SQL queries) and column anonymization settings specifying which columns to anonymize and corresponding rules. Response actions configure audit and alert configurations: Audit enables log recording viewable by administrators; Alert auditing allows specifying alert email addresses (selected from data specialists in the controlled asset repository), with alerts sent to designated mailboxes upon policy activation.

  6. Enter the policy name: Fuzzy Matching Desensitization Policy for NAME Field.
  7. Select sysadmin under the corresponding role as the O&M user.
  8. Match information entry: .* (select).* (from).*
  9. Column desensitization settings: Schema name: .*;Table name: .*;Column name: .*name.*;Data Domain: Name.
  10. Select Audit for response action.

    Figure 3 Matching information

  11. Click OK.

Enable Custom Policy

  1. Logging in to the Database Operations and Maintenance Management System using the sysadmin system administrator account.
  2. Select Ops Asset Management > Ops Asset Control in the left navigation bar, pick an asset control entry and click the Config button to open a new page in the browser.
  3. Select Security Control > Policy Management, and the pending approval list is displayed on the page.
  4. Click Enable rule. A prompt Confirm or not? EnableThe Rule? then click OK.

    Figure 4 Enable policy management

Verify Configuration Result

  1. Logging in to the Database Operations and Maintenance Management System using the sysadmin system administrator account.
  2. Access the database successfully via the web terminal of the O&M bastion host.

    • Use the security client: In the left navigation bar, select Ops Bastion Host Inventory and click One-Click Login. A new tab for the O&M bastion host will open in the browser .
    • On the O&M bastion host management page, select the newly added O&M asset and click the WEB terminal icon.
    • A new WebSQL tab will launch in the browser, and the database will be connected successfully through the proxy service.
    • Double-click a table name in the lower area; the corresponding query statement will be automatically filled into the SQL editing area on the right.
    • Click the Execute button.
      Figure 5 WebSQL execution button location
    • Data fields containing name in their names are displayed in desensitized form within the query result area.