Skip to Content
Administrator ManualDatabases(New) Policy ManagementException Management

Exception Management

Overview

There are two types of exception handling for policies: cases where policy exceptions are applied through Workflow policy exception requests and cases where administrators directly set policy exceptions. Previous DAC policies only allowed policy exceptions through Workflow exception requests (Unmasking, Restricted Data Access), but new policies allow administrators to directly set policy exceptions and integrate manage them with Workflow-processed ones.

Policy Exception Management Through Workflow

image-20250629-172021.png

The Workflow tab in Databases > Data Policies > Exception Management displays temporary policy exceptions submitted through Workflow and approved, and you can manage their active status.

  • Exception Type : Policy exception types such as Unmasking, Restricted Data Access are displayed.
  • Connection : Target DB connection for policy exception is displayed.
  • Data Path : The path requested in Workflow is displayed. When requested with tags, the target changes dynamically, so no value is displayed in Data Path.
  • Data Tag : Tags specified in the Workflow request form are displayed.
  • Allowed User : Users or groups temporarily approved for policy exceptions are displayed.
  • Start Time
  • End Time
  • Status
    • Active : Indicates that the policy exception is in active status. Administrators can change it to Inactive status.
    • Inactive : When administrators temporarily change the policy exception status to inactive, it is displayed as Inactive.
  • Excepted By : Click the link to view the workflow where the policy exception was approved.

Administrators Directly Setting Policy Exceptions

Manual tab of Databases > Policy Management > Exception Management

Manual tab of Databases > Policy Management > Exception Management

In the Manual tab of Databases > Policy Management > Exception Management, administrators can manually specify policy exception targets.

Setting Policy Exceptions

The method for specifying expiration dates has been changed in 11.3.0.

The item name has been unified to “Policy Exception Schedule” for both Workflow policy exception requests and administrator manual policy exception settings, and it has been changed to explicitly specify the start and end times of the validity period.

In 11.3.0, it has been changed to allow specifying specific data paths using regular expressions for all policy exception types.

Manual Policy Exception Creation

Manual Policy Exception Creation

Click the + Create Exception button and configure settings for the policy exception.

  • Exception Name : Enter the name of the policy exception.
  • Exception Type : Select policy exception types such as Unmasking, Restricted Column Access, Restricted Table Access.
  • Data Scope : Specify target tables or columns for policy exceptions. [11.1.0]
    • When selecting Data Tag, you can specify targets with tags. Only tags set in Databases > Policy Management > Data Paths can be used. Tags with the same key use OR operation, and tags with different keys use AND operation.
    • When selecting Specific data path, you can directly specify target tables or columns. Regular expressions can also be used. [11.3.0]
  • Allowed User : Specify targets that temporarily need policy exceptions.
    • User / Group : You can specify users or groups.
    • Attribute of Users : You can dynamically specify targets using Identifier type attributes registered in user profiles. [11.1.0]
  • Policy Exception Schedule : Set the period during which the policy exception is applied. The maximum validity period for policy exceptions cannot exceed the maximum period set by the administrator (Maximum Policy Exception Period).
    • Specific Period : Specify the start and end times. Can be specified in hours.
    • Time Duration : Specify to be valid for a specified time from the start time.
    • Start On Approval option : For both Specific Period and Time Duration methods, when the Start On Approval option is enabled (checked), the validity takes effect from the approval time. Generally, since the person making the request cannot know the approval time of the approver, using this option is not recommended. (This is because if approval expiration period constraints occur, you may need to make a new request.) Even when using Urgent Mode, the approval time is after the fact and it is unknown when approval will be given, so except for special situations where the Start On Approval option must be used, it is not recommended.
  • Reason for Request : Enter a brief description of the policy exception.

The maximum policy exception period setting is limited by the Maximum Policy Exception Period setting value in Admin > Databases > General > Configurations.

Immediately Changing Policy Exception Status

When administrators create policy exceptions, the policy exception status is maintained until the time specified in Exception Expiration, but in some cases, you may need to immediately release the exception status. You can immediately change the status by selecting Active or Inactive in the Status column of the list, so you can easily respond without deleting or creating new policy exceptions.

image-20250716-055008.png

Modifying Manually Created Policy Exceptions

You can modify the settings by clicking on a specific policy exception row in the list. (Exception Type cannot be changed.)

image-20250716-055149.png

Deleting Manually Created Policy Exceptions

image-20250716-055525.png

By default, policy exceptions expire after a specific time, but policy exceptions created manually by administrators can be deleted at any time. Check one or more specific policy exception rows and click the Delete button.

Last updated on
Data PoliciesMonitoring