Skip to main content
Skip table of contents

Database Query Restriction

A user can connect to or access different objects in the database. This entitles other users with varying privileges to access different regions in the database. Thus, there is a need for a security policy that establishes methods for protecting your database from accidental or malicious data destruction or damage to the database infrastructure.

This chapter will consist of the following:

Before you begin

  • The User Group you wish to allow/deny access already exists.

Supported Access Types for Database to enable

  • SQL Data Browser
  • MySQL Data Browser
  • Oracle Data Browser

Creating a server access policy

  • Navigate to Policies in the top navigation bar. 
  • Select Server Access Policy from the sidebar. 
  • Click on the Database section. 
  • Click on +Add Server Access Policy. A form will appear having 4 sections. Fill in the essentials step by step.
  • Policy Details: You need to enter the policy details you require. Click on Next.
    • Policy Name: Provide the name of the policy you want to create.
    • Description: Enter a short description of the policy.
    • Policy Type: Select whether you want to allow or deny permissions.
    • Expiry: Set the expiry date of the policy.
  • User Groups: In the Enforced to User Group(s), tick the user groups on which the server access policy will be applied. In the Exception User(s), mention the users that will be exempted from the server access policy. Click on Next.  
  • Parameters: You can select the queries you want to allow or restrict according to the policy. The Confirm option will let you ask the user who has hit the query whether he/she wants to execute the command. The Elevate option will enable the user to elevate the query. Click on Next

The Allow permission only allows the selected queries and restricts the rest. The Deny permission denies all the selected queries and enables the rest of the queriesWe can choose both options, i.e., confirm and elevate in front of the query to apply. The Confirm and Elevate options will appear only if the Policy Type is set as 'Allow' in the Policy details. You can select either from Confirm and Elevate options, both of them or none of them. 

  • Summary: This is the summary of the configuration made. Click on Finish

Defining privileged queries

The main functionality of the Query repository is to provide the user with the inbuilt restricted or allowed queries to function for them. By default, there is a list of general queries already stored in the query repository. But, if the user wants to add a new query to the repository, he/she needs to follow the steps below.

  • Navigate to Policies in the navigation bar.
  • Select the Server Access Policy from the sidebar.
  • Click on the Database section.
  • Click on Query Repository. 
  • Click on +Add Query.
  • A page will appear. Fill in the essentials for your new command to be created.
    • Risk category: This consists of various risk categories mentioned below. Choose the category according to the nature of the command
      • Unusual user activity: If the user performs some unusual activity in the system.
      • User activity: If a certain user activity is bringing about a risk.
      • Unusual account activity: If the activities of an account in the system are unusual.
      • Data theft and ex-filtration: Accessing unauthorized data and retrieving it from a system or server.
      • Privilege account abuse: When the privileged user ignores the policies, or maybe some malicious activity is taking place by accessing to unauthorized user. 
      • Accountability risk: Someone who might be responsible for stealing the data from the system or server.
      • Identity theft: Someone who might pretend to be someone else to get access.
      • General: Some misbehavior of the activities due to the user performing them wrongly.
      • Leapfrogging: Adapting directly to the user and system activities to secure data access.
    • Command: Specify the command
    • Command description: Describe the command description
    • Asset command type: The command type may vary depending on your choice.
      • Administrative
      • Backup
      • Configuration
      • Remote access
  • Click on Save.

Editing a policy

  • Navigate to Policies in the navigation bar. 
  • Select Server Access Policy from the sidebar. 
  • Click on the Database section. 
  • As the new page opens, you will find the list of existing server access policies.
  • Click on the policy name, and the form will appear in front of you where you can make necessary changes.
  • Click on the Update button, and your policy design will be updated.

Editing a command from library

  • Navigate to the Policies option in the navigation bar. 
  • Select Server Access Policy from the sidebar. 
  • Click on the Database section.
  • Click on the +Query Repository, and the list of existing commands created will be displayed.
  • Click on any of the commands you want to modify and make the necessary changes.
  • Click on Update.

Deleting a policy

  • Navigate to Policies in the navigation bar. 
  • Select Server Access Policy from the sidebar. 
  • Click on the Database section. 
  • As the new page opens, you will find the list of existing server access policies.
  • Click the delete icon in the last column.
DescriptionRepresentation
Delete record

Deleting a command from library

  • Navigate to Policies in the navigation bar.
  • Select Server Access Policy from the sidebar. 
  • Click on the Database section.
  • Click on +Query Repository, and the list of existing commands created will be in front of you.
  • Click on any of the commands which you want to delete.
  • Click on Delete.

If there are any changes made in the policy when a session is started, one needs to restart the session again to implement those changes.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.