Security Control - Data Permission Approval
- Data Permission Approval is a key capability of the data security gateway. All O&M assets are inaccessible to users by default. When users attempt to access the Ops Asset Control repository, access will be denied with a prompt, together with a permission application URL valid for 10 minutes.
- Users can submit access permission applications by clicking the Authorization application button on the WebSQL page of the O&M bastion host, or by directly accessing the provided URL.
- Administrators approve or reject user permission applications on the Data Access Approval page.
Prerequisites
Database operators must submit real-time data access application tickets before performing O&M operations on assets. Relevant operations can only be executed after administrator approval on the approval page.
Approving Data Permissions
- Logging in to the Database Operations and Maintenance Management System using the sysadmin system administrator account.
- Select Ops Asset Management > Ops Asset Control from the left navigation pane to display the asset control list.
- Select an Ops Asset Control record and click the Config button to open a new browser tab.
- Select Security Control > Data Access Approval to load the pending approval list.
- Select a pending permission record and click the Pending Approval button to pop up the Permission Approval Details page.
- Verify application details and click Pass Through to grant permissions to the applicant.
- Verify application details and click Reject to turn down the applicant's permission request. Figure 1 Permission Approval Details
Table 1 Description of ending approval details Parameter
Description
Account Number
Application account information. The virtual account created through the platform user function allows login to both the management platform and the bastion host platform.
Access Tool
The client tool used by the applicant when requesting permission: if a bastion host is used, WebSQL is displayed; if a third-party tool such as DBeaver is used, the corresponding tool name is displayed.
Database User
The database user used when requesting data access permissions.
User IP
The client IP address used when requesting data access permissions.
Permission Type
The types of operations for accessing data include create, delete, update, and read.
It can be one or more.
Database Type
Show the type of asset repository corresponding to the current data permission request: for example, MySQL, Oracle, PostgreSQL, DB2, SQL Server, MariaDB, Kingbase, Dameng, Greenplum, and OpenGauss.
Database IP
Display the IP address of the asset repository corresponding to the current data permission request. Since the client accesses the asset repository indirectly through an access proxy service, the displayed IP address is that of the proxy service.
Database Port
Display the port number of the asset repository corresponding to the current data permission request. Since the client accesses the asset repository indirectly through the access proxy service, the displayed port number refers to that of the proxy service.
Database Name
Show the database name of the asset repository corresponding to the current data permission request
Table
The SCHEMA name for the permission request displayed in the parent table. Table name.
Permission Type
Show the operation type for requesting access to the parent table, including add, delete, modify, and read. One or more types may be specified.
Column Name
Display in the sub-table, showing the field names of the current table.
Notes
Display the field names and database remarks of the current table in the sub-table.
Access SQL
The SQL statement used by data users when accessing the data.
Application Time
Show the duration of the permission request usage, with the start time calculated from when the permission is approved.
Reason to Apply
The reason for the permission request provided by the applicant.
Related Operations
You may perform the following operations on the Data Permission Approval List page as needed:
- Filter Conditions: Click statistical charts or select required criteria in the filter box to quickly locate target entries in the approval list.
- Add Filter: Frequently-used filter criteria can be saved as preset filters.
- Data access permission approval is a common method for data consumers to obtain data access privileges by submitting application tickets, also referred to as real-time access request approval. It is designed for scenarios where data consumers require quick authorization to execute unauthorized SQL during data access.
- If the application is approved, O&M operators can proceed with subsequent data access and maintenance operations. If rejected, relevant data access operations will be unavailable to O&M operators.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot