Vault: Configure Database Blocking Rules

Blocking rules allow administrators to control what actions users can execute during a database session. When a user attempts an action that matches a configured rule, the query is blocked and an alert is generated based on the configured severity level.

Criteria Types

Each blocking rule uses one of the following criteria types:

• Command Blocking: Prevents specific SQL commands from being executed. You select from a predefined list that includes CREATE, ALTER, DROP, TRUNCATE, INSERT, UPDATE, DELETE, SELECT, and others.
• SQL Pattern Blocking: Blocks any query that matches a specific SQL pattern or regular expression entered in the Query Pattern field.
• Table Replacement: Intercepts queries targeting a specific table and returns the results of a replacement query instead. For example, if a user runs SELECT * FROM employees, the rule can replace it with SELECT full_name, email FROM employees, limiting the columns returned.

How to Create a Blocking Rule

There are two ways to create a blocking rule:

• From the Blocking Rules menu: Rules can be applied to one or more databases and include management controls to restrict who can edit or delete the rule.
• From the Add Database form: Rules are automatically scoped to the database being created and support User and Group exceptions.

From the Blocking Rules Menu

• In the left sidebar, click on Blocking Rules.
• Click + Add Blocking Rule.
• On the General tab, complete the following fields:
  • Name: A descriptive name for the rule.
  • Criteria Type: Select Database.
  • Priority: The execution order for the rule. The lower numbers have higher priority.
  • Severity: The alert level triggered when a user attempts a blocked action. Options are Alert, Critical, and Emergency. Alerts are sent to administrators and, if configured, to your SIEM.
  • Tags (optional): Labels to help organize and filter rules.
  • Notes (optional): Any additional context.
• On the Criteria tab, select a Criteria Type and configure the blocking behavior:
  • Command Blocking: Select one or more SQL commands to block. Use Select All or Deselect All to manage selections quickly.
  • SQL Pattern Blocking: Enter the SQL pattern or regular expression to match in the Query Pattern field.
  • Table Replacement: Enter the target table name in Table Name and the replacement query in Replace Query.
• On the Resources tab, click + Add Databases to associate this rule with one or more databases.
• On the Management tab, click + Add User or switch to User Groups to specify which administrators can edit or delete this rule. Users not listed here cannot modify the rule.
• Click Save.

From the Add Database Form

When creating a new database, you can configure blocking rules directly within the setup flow. Rules created this way are scoped to that database and do not have separate management controls. Any administrator with access to the database can manage these rules.

• In the left sidebar, click on Databases.
• Click Add Database and complete the General, Credentials, and Sharing Preferences tabs.
• On the Rules tab, click + Add Blocking Rule.
• On the General tab, complete the Name, Priority, Severity, and optionally Tags and Notes fields. The Criteria Type is automatically set to Database.
• On the Criteria tab, select a Criteria and configure the blocking behavior as described in the Criteria section above.
• On the Exceptions tab, click Add and select Users or Groups to exempt specific users or groups from this rule. Excepted users can execute actions that would otherwise be blocked by the rule.
• Click Save.