Security Policies

Database Security Policies

Define granular security policies to control access, protect sensitive data, and enforce compliance requirements across all your databases.

Policy-Based Security

DB Audit's policy engine lets you define security rules that are automatically enforced across all monitored databases. Policies can control access, mask data, block dangerous queries, and trigger alerts—all without modifying your application code.

100+
Pre-built policy templates
<1ms
Policy evaluation latency
Real-time
Policy enforcement

Policy Types

Access Control Policies

Define who can access what data and when. Restrict access based on user roles, IP addresses, time windows, and more.

  • Block access from unknown IP addresses
  • Restrict admin access to business hours
  • Require MFA for sensitive table access
  • Limit concurrent sessions per user

Data Protection Policies

Protect sensitive data with masking, encryption, and access restrictions. Meet compliance requirements automatically.

  • Mask PII in query results
  • Encrypt sensitive columns at rest
  • Block bulk data exports
  • Redact credit card numbers

Query Control Policies

Control what queries can be executed. Block dangerous operations and enforce query patterns.

  • Block DROP and TRUNCATE statements
  • Require WHERE clauses on DELETE
  • Limit query result set sizes
  • Block SELECT * on large tables

Alerting Policies

Define conditions that trigger security alerts. Get notified of suspicious activity in real-time.

  • Alert on failed login attempts
  • Notify on schema changes
  • Escalate privilege elevation
  • Report unusual query patterns

Access Control Policies

Control who can access your databases and when. Define policies based on users, roles, IP addresses, time windows, and application context.

users / roles Target specific users or database roles for policy enforcement.
time_window Restrict access to specific hours and days of the week.
allowed_ips Whitelist IP addresses or CIDR ranges for access.
actions Block, allow, alert, or require additional authentication. 
# Access Control Policy Example
policies:
  - name: restrict-admin-access
    type: access_control
    enabled: true
    description: Restrict admin access to business hours from trusted IPs

    conditions:
      users:
        - admin
        - root
        - postgres

      # Only allow during business hours (UTC)
      time_window:
        start: "08:00"
        end: "18:00"
        days: [monday, tuesday, wednesday, thursday, friday]

      # Trusted IP ranges only
      allowed_ips:
        - 10.0.0.0/8
        - 192.168.1.0/24

    actions:
      - block
      - alert:
          severity: critical
          channels: [slack, pagerduty]

Data Protection Policies

Automatically mask, redact, or encrypt sensitive data. Protect PII, financial data, and health records without changing your application.

Compliance Ready

Data protection policies help you meet GDPR, HIPAA, PCI DSS, and other regulatory requirements by ensuring sensitive data is never exposed inappropriately.

masking_rules Define regex patterns to detect and mask sensitive data in query results.
targets Specify tables and columns containing sensitive data.
exceptions Allow specific users or roles to access unmasked data. 
# Data Protection Policy Example
policies:
  - name: mask-pii-data
    type: data_protection
    enabled: true
    description: Mask personally identifiable information in query results

    targets:
      tables:
        - users
        - customers
        - employees
      columns:
        - ssn
        - credit_card
        - email
        - phone

    masking_rules:
      - column: ssn
        pattern: '\d{3}-\d{2}-\d{4}'
        replacement: '***-**-XXXX'

      - column: credit_card
        pattern: '\d{4}-\d{4}-\d{4}-\d{4}'
        replacement: '****-****-****-XXXX'

      - column: email
        type: partial
        show_domain: true
        # john.doe@example.com -> j***e@example.com

    exceptions:
      users:
        - compliance_officer
        - data_admin
      roles:
        - pii_access

Query Control Policies

Prevent dangerous or unauthorized queries from executing. Block destructive operations, enforce query patterns, and limit data exfiltration.

Block

Completely prevent query execution

Warn

Allow but alert on policy violation

Require Approval

Queue for manual approval

Audit

Log for compliance review

# Query Control Policy Example
policies:
  - name: prevent-destructive-queries
    type: query_control
    enabled: true
    description: Block dangerous database operations

    rules:
      # Block DROP statements on production tables
      - name: block-drop
        pattern: "DROP\s+(TABLE|DATABASE|INDEX)"
        action: block
        severity: critical
        message: "DROP statements are not allowed"

      # Require WHERE clause on DELETE
      - name: require-where-delete
        pattern: "DELETE\s+FROM\s+\w+\s*$"
        action: block
        severity: high
        message: "DELETE without WHERE clause is not allowed"

      # Limit bulk SELECT operations
      - name: limit-bulk-select
        pattern: "SELECT\s+\*\s+FROM"
        tables: [orders, transactions, audit_log]
        action: warn
        max_rows: 10000
        message: "Large SELECT operations require LIMIT clause"

    exceptions:
      users:
        - migration_user
      applications:
        - backup_service

Alerting Policies

Define conditions that trigger security alerts. Get notified of suspicious activity, policy violations, and anomalous behavior in real-time.

threshold Set the number of events within a time window to trigger an alert.
severity Classify alerts as low, medium, high, or critical for prioritization.
channels Route alerts to email, Slack, PagerDuty, or webhooks.
immediate Bypass batching and send alerts immediately for critical events. 
# Alerting Policy Example
policies:
  - name: security-alerts
    type: alerting
    enabled: true
    description: Alert on suspicious database activity

    rules:
      # Failed login attempts
      - name: failed-logins
        event: login_failed
        threshold: 5
        window: 5m
        severity: high
        channels: [email, slack]

      # Privilege escalation
      - name: privilege-change
        event: grant_privilege
        severity: critical
        channels: [pagerduty, slack]
        immediate: true

      # Schema changes
      - name: schema-changes
        events: [create_table, alter_table, drop_table]
        severity: high
        channels: [slack]
        include_details: true

      # After-hours access
      - name: after-hours
        event: query_executed
        condition: hour NOT BETWEEN 6 AND 22
        users_exclude: [backup_user, monitoring]
        severity: medium
        channels: [email]

Compliance Framework Templates

Start with pre-built policy templates designed for common compliance frameworks. Customize as needed for your specific requirements.

SOC 2
Service Organization Control 2 compliance
HIPAA
Health Insurance Portability and Accountability Act
PCI DSS
Payment Card Industry Data Security Standard
GDPR
General Data Protection Regulation
SOX
Sarbanes-Oxley Act
ISO 27001
Information Security Management

Policy Management

Manage policies through the dashboard, CLI, or API. Test policies in simulation mode before enforcing them in production. 

# List all policies
dbaudit policy list

# Create a new policy from file
dbaudit policy create --file policy.yaml

# Test a policy in simulation mode
dbaudit policy test --file policy.yaml --simulate

# Enable a policy
dbaudit policy enable --name restrict-admin-access

# View policy violations
dbaudit policy violations --name restrict-admin-access --last 24h

Next Steps

Configuration Guide
Database Integrations
Quick Start Guide

Ready to Enforce Security Policies?

Start protecting your databases with granular security policies. Get up and running in minutes with our pre-built templates.

Start Free Trial Talk to Sales