Protection Rules
The Protection Rules page allows administrators to configure security policy rules for each database connection in OneDB.
Protection Rules are used to monitor, block, or rewrite database queries that may expose sensitive data, perform risky operations, create performance issues, or indicate possible SQL injection attempts.
This feature helps administrators apply consistent security controls across supported database platforms such as PostgreSQL, MySQL, Oracle, and MSSQL.
Accessing Protection Rules
To access the Protection Rules page:
- Open the OneDB Administration Console.
- Go to Security Policy.
- Select Protection Rules.
The page displays available protection categories and the rules configured for the selected database connection.
Selecting a Connection
Before configuring protection rules, select a database connection from the Connections dropdown.
The dropdown displays available connections with their database type, for example:
postgresql-local - POSTGRESQL
mysql-local - MYSQL
Oracle-On_cloue - ORACLE
MsSQL-On-Cloud - MSSQLAfter a connection is selected, OneDB displays the selected connection information, including:
| Field | Description |
|---|---|
| Connection ID | Unique identifier of the selected database connection. |
| Connection Name | Name of the database connection. |
| Database Type | Database platform used by the connection. |
| Database / Schema | Database or schema assigned to the connection. |
| IP / Host | IP address or hostname of the database server. |
| Port | Database server port. |
This helps administrators confirm that the protection rules are being configured for the correct database target.
Protection Rule Categories
Protection Rules are grouped into four categories:
| Category | Description |
|---|---|
| Query Protection | Manages query-level monitoring, blocking, and rewrite rules. |
| Extraction Protection | Manages sensitive data extraction and bulk access protection rules. |
| Performance Protection | Manages database performance guardrails and expensive query protection rules. |
| SQL Injection Protection | Manages SQL injection detection, monitoring, and blocking rules. |
Each category contains predefined rules that can be enabled, disabled, and configured based on the selected connection.
Rule Configuration Fields
Each rule contains the following configuration fields:
| Field | Description |
|---|---|
| Rule | The name of the protection rule. |
| Description | Explanation of what the rule detects or controls. |
| Mode | Defines how OneDB handles the detected query or activity. |
| Value | Optional threshold, limit, or configuration value required by the rule. |
| Enabled | Determines whether the rule is active for the selected connection. |
Rule Modes
Each protection rule can be configured using one of the available modes.
| Mode | Description |
|---|---|
| Monitor | OneDB detects and records the activity without blocking the query. |
| Block | OneDB blocks the query when the rule condition is matched. |
| Rewrite | OneDB rewrites or adjusts the query when applicable. |
Use Monitor mode when evaluating behavior or testing a policy before enforcing it. Use Block mode when the rule should prevent risky or unauthorized activity. Use Rewrite mode when OneDB should automatically adjust the query behavior, such as applying safer query limits where supported.
Query Protection
The Query Protection tab manages query-level controls for risky or unsafe SQL operations.
This category is useful for detecting or preventing statements that may cause accidental data changes, full table deletion, schema changes, or unauthorized write operations.
The available Query Protection rules include:
| Rule | Description |
|---|---|
| DELETE without WHERE | Prevents DELETE statements without a WHERE clause to avoid accidental full table deletion. |
| UPDATE without WHERE | Prevents UPDATE statements without a WHERE clause to avoid accidental full table updates. |
| Require LIMIT Clause | Automatically enforces or recommends LIMIT usage for SELECT queries to reduce large result set exposure. |
| DROP TABLE Protection | Blocks DROP TABLE statements to prevent accidental or unauthorized table deletion. |
| TRUNCATE TABLE Protection | Blocks TRUNCATE TABLE statements because they can quickly remove all records from a table. |
| DROP DATABASE / SCHEMA Protection | Blocks DROP DATABASE and DROP SCHEMA statements to prevent destructive database-level operations. |
| ALTER TABLE Protection | Detects or blocks ALTER TABLE statements that may change database structure in production. |
| Read-only Mode Enforcement | Blocks non-SELECT statements for users, applications, or connections that should only perform read operations. |
| Business Hours Protection | Detects or blocks risky DDL and DML operations outside approved business or maintenance windows. |
Extraction Protection
The Extraction Protection tab manages rules related to sensitive data extraction and bulk data access.
This category helps detect queries that may return excessive data, access sensitive tables, or export data outside normal application behavior.
The available Extraction Protection rules include:
| Rule | Description |
|---|---|
| SELECT * Protection | Detects SELECT * queries, especially against sensitive or large tables, to reduce unnecessary data exposure. |
| Large Result Set Protection | Detects or rewrites queries that may return large result sets and impact performance or expose excessive data. |
| Export / Dump Protection | Detects export-style queries or commands that may write data into files or dump sensitive information. |
Some rules may require a value. For example, SELECT * Protection may use a configured threshold or limit value to help determine how the rule should be applied.
Performance Protection
The Performance Protection tab manages database performance guardrails and expensive query protection rules.
This category helps reduce the risk of queries that may create heavy database load, excessive result sets, or unstable production behavior.
The available Performance Protection rules include:
| Rule | Description |
|---|---|
| Cartesian Join Detection | Detects joins without proper join conditions that may create excessive result sets or performance issues. |
| ORDER BY Random Protection | Detects expensive random sorting operations such as ORDER BY RAND(), ORDER BY RANDOM(), or ORDER BY NEWID(). |
| Bulk Insert / Load Data Protection | Detects bulk data loading operations such as COPY, LOAD DATA, BULK INSERT, or external table loading. |
| DML on Sensitive Table | Detects INSERT, UPDATE, DELETE, or MERGE operations against sensitive tables for additional audit visibility. |
SQL Injection Protection
The SQL Injection Protection tab manages rules for detecting suspicious SQL patterns commonly associated with SQL injection attempts.
This category helps identify unsafe queries, multiple statements in a single request, suspicious conditions, comment-based bypass attempts, and privilege-related commands.
The available SQL Injection Protection rules include:
| Rule | Description |
|---|---|
| Stacked Query Protection | Detects multiple SQL statements submitted in a single request, which may indicate an attempt to execute additional unauthorized commands. |
| Always True WHERE Detection | Detects suspicious always-true conditions that may indicate unsafe query logic or attempted injection activity. |
| UNION-based Injection Detection | Detects suspicious query patterns that attempt to combine results from different queries, which may indicate unauthorized data extraction. |
| Comment-based Injection Detection | Detects suspicious SQL comment markers that may be used to alter or bypass normal query logic. |
| Sleep / Delay Function Detection | Detects the use of database delay functions that are commonly associated with time-based attack techniques. |
| Database Metadata Access Protection | Detects queries that access database metadata or system catalog objects, which may indicate reconnaissance activity or unauthorized schema discovery. |
| Privilege Change Protection | Detects or blocks database privilege and user management commands that may change access rights or create unauthorized database users. |
Enabling or Disabling Rules
Each rule has an Enabled checkbox.
When enabled, the rule is active for the selected connection. When disabled, OneDB will not apply that rule to the selected connection.
Administrators can enable only the rules that are relevant to the database connection, application behavior, and security requirements.
Setting Rule Values
Some rules may require a value, such as a threshold, limit, or configuration parameter.
Example:
100000A value may be used to define a maximum allowed result size, query threshold, or another rule-specific parameter.
If a rule does not require a value, the field may display:
Not requiredSaving Changes
After configuring the protection rules:
- Select the target connection.
- Choose the protection category.
- Set the rule mode.
- Enter a value if required.
- Enable or disable the rule.
- Click Save.
Click Discard to cancel unsaved changes.
Recommended Usage
For new deployments, it is recommended to start with Monitor mode before enabling Block mode.
This allows administrators to observe real query behavior first, reduce false positives, and identify which rules are safe to enforce.
A recommended rollout approach:
| Phase | Recommendation |
|---|---|
| Initial setup | Enable relevant rules in Monitor mode. |
| Observation | Review Query Audit logs and identify matched rules. |
| Tuning | Adjust rule values, disable unnecessary rules, or add whitelist exceptions when required. |
| Enforcement | Change selected high-confidence rules from Monitor to Block or Rewrite. |
| Review | Periodically review rules to match application and database changes. |
Security Considerations
Protection Rules can directly affect application behavior. A rule configured in Block mode may prevent certain SQL statements from being executed.
Before enforcing rules in production, administrators should verify that the rules do not interfere with valid application queries.
Use Query Whitelist only for trusted exceptions where a specific query must bypass protection rules for valid business or technical reasons.
Summary
The Protection Rules page provides centralized policy control for database query protection in OneDB.
By combining Query Protection, Extraction Protection, Performance Protection, and SQL Injection Protection, administrators can monitor and control risky database activity while maintaining flexibility for real application workloads.
