How to Configure Database Access Control and Data Anonymization for Developer
This tutorial will walk you through how database access control and data anonymization works in Bytebase. You’ll need two Bytebase accounts – one DBA and one Developer. DBA is the one who configures the settings and Developer is the one who should only see information based on the configuration.
Both database access control and data anonymization are Enterprise Plan only features. However, you can start a 14-day trial of the Enterprise Plan with one click without providing additional information (no credit card required).
This phase will guide you configure and prepare testing data in Bytebase. You can adjust to your needs if you’re familiar with the system. If you already have set up the Bytebase environment, you can skip this part and start from Test phase.
During this phase, you’ll run one Bytebase and two MySQL instances, add the corresponding database instance to Bytebase’s Test and Prod environments, create tables, and populate them with data.
Make sure you have Docker installed, and if you don’t have important existing Bytebase data locally, you can start over from scratch by
rm -rf ~/.bytebase/data.
Step 1 - Start Bytebase with Docker
- Make sure your docker daemon is running, and then start the Bytebase docker container by typing the following command in the terminal.
- Type the following commands one by one in the terminal to start two MySQL instances, and they will be mapped to Test and Prod environments later.
- Register admin account DBA - we’ll refer to it as DBA. This account will be granted
Workspace Ownerrole. Check Roles and Permissions (RBAC).
- Open another browser, and register a developer account DEV - we’ll refer to it as Developer. This account will be granted
Step 2 - Configuration
- Follow the onboard guidance or click Add instance on home page.
- Create an instance for
TestEnvironment with the following configuration. Fill username/password as
- Follow the onboard guidance or click New Project on Projects page. Create a project
TestAccessand click Next.
Follow the onboard guidance or Click New DB on the project
Create a database
demo, and click Next.
- You'll be redirected to the issue page, and an issue is created. Since it’s for
Testenvironment, it will execute without approval from you. Click Resolve issue, and the issue will be done.
- Repeat 1 and 2 to add another instance
Prodenvironment. The adjustments are environment should be
Test, and port number should be
- Repeat 4 and 5 to create another database
Prodenvironment. Since it’s for
Assigneeshould click Approve to allow it to execute. After its execution, click Resolve issue, and the issue will be done.
Step 3 - Table and Data
- Go to the project
TestAccess, and click Alter Schema.
- Choose both Test and Prod, and click Next.
- Use Schema Editor to create
t1table for both Test and Prod environments. Click Preview issue.
- An issue with the pipeline is created with information filled. Click Create.
- The issue will execute against
Testenvironment without approval and then become
Prodenvironment. Click Approve and it will continue executing against
- Click Resolve issue and the issue will be done.
- Go back to project
TestAccesspage, and click Change Data.
- Choose databases for both environments, and click Next.
- Fill SQL as follows:
and click Apply to other tasks. Click Create and the issue will be created.
- Repeat 5 and 6, and the issue is done.
With the preparation from the previous phase, you’re almost ready for testing. However, since access control and data anonymization are only available in the Enterprise Plan, you need to request a free 14-day Enterprise Plan trial.
Step 1 - Upgrade to a 14-day Enterprise Plan trial
- Log in as DBA, click Environments on the top navigation bar. Check Mark as protected environment under
Testenvironment. Click Update, and click Upgrade trial.
- Now it’s Enterprise Plan. Uncheck Mark as protected environment and click Update.
Step 2 - Add developer as project member
Go to project
TestAccess > Settings > Manage members to add Developer as
Project Developer. Only after this, can Developer see the project.
Test Database Access Control
- Log in as DBA, and click Environments on the top navigation bar. Click Prod, and make sure the Mark as protected environment is unchecked. It means the prod environment is not protected.
- Log in as Developer, and click SQL Editor on the left bar.
- Within SQL Editor, you can view both databases under
- Log in as DBA, and click Environments on the top navigation bar. Click Prod, and check Mark as protected environment and click Update. You can see there is a shield beside Prod, which means the environment is protected.
- Log in as Developer and go into SQL Editor again. Now you can only see database under
Testenvironment. It’s because
Prodenvironment is protected.
- Log in as DBA, and click Settings on the top navigation bar. Click Workspace > Access Control. Click Add rule.
Prodenvironment and click Add. Only databases under protected environments will list here.
- Log in as Developer, and go to SQL Editor. You can see database
Prodenvironment because of the Access rule DBA just granted.
- Login as DBA, click Environments, uncheck Mark as protected environment under Prod, and click Update. Click Settings > Workspace > Access Control, and click the trash icon to delete the rule.
Test Data Anonymization
- Log in as Developer, and go to SQL Editor. Currently, you can view all the information. We want to anonymize the
- Log in as DBA, and click Databases on the top navigation bar. Click the
demounder Prod environment, and click
t1. Under the Columns section, you can see the Sensitive checkbox for each row.
- Check the checkbox for mobile row.
- Click Settings > Workspace > Sensitive Data, and you should see the sensitive rule list.
- Log in as Developer, and go to SQL Editor. The
mobilecolumn is anonymized.
You have now tried out the basics of database access control and data anonymization in Bytebase. If you want to learn the overall picture of database access control, please check out How to Manage Database Access Control.