Improving Data Export Workflows and Security: From 1.0 to 2.0 with Classification and Dynamic Approval

In the digital age, frequent data leaks threaten personal privacy and national security, prompting the need for secure data export mechanisms.

Business users cannot directly access production databases, so DBAs provide two channels: a query platform (read‑only) and a data export work order that allows data extraction.

The original 1.0 work order process suffered from major security issues: overly broad cluster‑owner permissions, lack of visibility into exported data, unauthenticated download URLs, and unencrypted data files.

The redesigned 2.0 workflow adds dynamic approval flows, data classification and grading, URL expiration, and stricter permission checks, allowing approvals to be escalated based on data sensitivity (up to CEO level).

Data classification involves three steps: extracting table and column names from the export SQL (using Python sqlparse with custom handling for joins, unions, subqueries, functions, etc.), obtaining the execution plan to estimate row counts (adjusting for MySQL version differences and TiDB), and determining sensitivity based on naming conventions and sampled data values.

Example Python usage: git clone https://gitee.com/mo-shan/get-tab-clo.git python GetResult.py {"col": ["sql","id","db_name","db_port","db_type"], "tab": ["tb_export_data_new"], "sql": "select `sql`,id,db_name,db_port,db_type from tb_export_data_new where workorder_id = 1"} {"col": ["name","order_id"], "tab": ["tb_export_data_new","t2"], "sql": "select t1.name,t2.order_id from tb_export_data_new t1 join t2 on t1.id = t2.id where workorder_id = 1"} ...

Execution‑plan extraction highlights version‑specific output and the need to multiply row estimates for multi‑table joins (e.g., 849643 × 849643).

Based on table/column names (e.g., tables named user or columns like username , passwd ) and data patterns (e.g., fixed‑length numeric fields), sensitivity levels are assigned, influencing the approval chain.

After implementing the 2.0 process, the number of export work orders dropped by 57% in the same period, and the withdrawal rate increased by 25%, demonstrating a significant improvement in data leak prevention.