Skip to Content
Administrator ManualDatabases(New) Policy ManagementData Policies

Overview

Data Policies is a feature in QueryPie for setting and managing data governance policies such as data access control, data masking, and enforcement of usage reason input. Through this feature, you can manage data security, personal information protection, and regulatory compliance.

Accessing Policy Creation Screen

image-20250307-131024.png

  1. Expand the Policy Management section in the left sidebar.
  2. Click the Data Policies menu.
  3. Click the Create Policy button at the top to navigate to the policy creation screen.

Setting Policy Basic Information

image-20250307-131052.png

Set the following information in the Information section of the policy creation screen:

  1. Name : Enter the policy name. (Required field)
  2. Policy Type : Select the policy type to apply from the dropdown menu. (Required field)
  3. Description : Enter a description of the policy. (Optional)

Policy Type Introduction

QueryPie provides the following policy types:

  1. Column Data Masking
    • Applies data masking policies to columns.
    • Uses regex-based masking patterns to detect and mask specific data patterns. (Masking Patterns)
    • When users query the corresponding column, it is displayed in {masked} format, and clicking on the cell displays the masked data.
  2. Table Access Restriction
    • Applies access blocking policies to tables.
    • When users try to query the corresponding table, access is blocked and a no permission message is displayed.
    • Message: "You don't have permission to access the table 'database.table'. Please check your privileges."
  3. Column Access Restriction
    • Applies access blocking policies to columns.
    • When users try to query the corresponding column, it is displayed in {restricted} format and access is blocked.
  4. Table Access Justification Requirement
    • Enforces reason input for specific table operations.
    • When users perform selected operations (e.g., SELECT queries, data export), a reason input modal is displayed.
    • The entered reason is recorded in the Execution Reason of Query Audit.
  5. Sensitive Data Access Monitoring
    • Allows administrators to designate specific tables or columns as sensitive information and generate alerts when accessed.
    • Set which paths are sensitive information, and alert settings are configured in General > Company Management > Alert.
      (As of 11.0.0, the Sensitive Data Access Monitoring Alert setting feature for new policies is not implemented.)
  6. DML Query Approval Enforcement
    • Forces approval procedures through Workflow when performing INSERT, UPDATE, DELETE queries on specific tables.
    • Before creating this policy, you must first create an Approval Rule of SQL Request Type in General > Workflow Management > Approval Rules. Performing INSERT, UPDATE, DELETE assumes that the person performing has been granted the corresponding privilege. To make the person performing the query the requester themselves, “Allow Assignee selection (All Users)” must be selected in the Assignee for Execution item in the Execution section as shown in the figure below, so that people with INSERT, UPDATE, DELETE permissions but who are not administrators can perform queries through approval.
    • If an Approval Rule is created, you can specify the Approval Rule to link with the policy as shown in the figure below.
    • DML Query Approval Enforcement cannot specify targets with tags and must specify specific data paths.

Setting Policy Application Targets

Set the user scope to which the policy will be applied in the User Scope section of the policy creation screen.

image-20250307-131315.png

Scope Type

  1. Everyone : The policy is applied to all users. (Default value)
  2. Users or Groups : The policy is applied only to selected specific users or groups.
  3. Attribute of Users : Used when you want to dynamically apply policies to users with specific attributes. [11.1.0]

Exclusions

You can set targets to exclude from policy application. Exclusion targets can only be specified when the scope type of User scope is Everyone. The difference from specifying through Policy Exception is that Policy Exception has a set period for exceptions, but Exclusion targets have the same lifecycle as the policy. That is, they are always applied during the period the policy exists. (Policy application targets = All - specific users or groups specified in exclusions.)

  1. None : Applied to all users according to Scope Type without exclusions. (Default value)
  2. Users and Groups : Excludes selected users or groups from policy application.

Setting Policy Target Data

Set the data to which the policy will be applied in the Data Scope section of the policy creation screen.

image-20250307-131634.png

Scope Type

Currently, policies can only be applied based on tags:

  1. Data tags : Select policy application targets based on tags set in the Data Paths menu.
    • When this option is selected, you can select tables or columns to apply policies to by specifying tag keys and values.
  2. Specific data path : Option to directly specify specific data paths. (From 11.0.0)
    • After selecting this option, click the Add target button to specify Database, Schema, Table, Column in the popup dialog, and you can also use regular expressions.

Saving Policies

When all settings are complete, click the Save button at the bottom of the screen to save the policy. Click the Cancel button to cancel saving.

Precautions

  • Since policy settings are based on data tags, appropriate tags must be assigned in the Data Paths menu before setting policies.
  • Policies only support the database types listed below, and policies cannot be applied to unsupported database types.
    • MySQL, MariaDB, Impala, Single Store, Hive, BigQuery, Oracle, PostgreSQL, SQLServer, Redshift, MS SQL Azure, SAP Hana, Trino, Athena, MongoDB, DocumentDB, Cassandra, ScyllaDB, DynamoDB, Redis
Last updated on
Data PathsException Management