docs: consolidate data masking

Author: tianzhou

data-masking/README.md

@@ -6,7 +6,7 @@ This directory demonstrates how to use API to configure:
 1. Database query and export access control.
 1. Dynamic data masking.
 
-You can expand this example to build a GitOps solution to configure all data security policies as code.
+You can expand this example to build a GitOps solution to codify all data security policies.
 
 # Fetch the access token
 

data-masking/projects/project-sample/README.md

@@ -1,4 +1,4 @@
-## Configure column masking explicitly
+## Column masking explicitly
 
 Correspond to https://www.bytebase.com/docs/security/data-masking/column-masking/
 
@@ -8,7 +8,7 @@ curl --request PATCH "${bytebase_url}/v1/instances/prod-sample-instance/database
   --data @column-masking.json
 ```
 
-## Configure column semantic type and classification
+## Column semantic type and classification
 
 - Semantic type: https://www.bytebase.com/docs/security/data-masking/semantic-types/
 - Classification: https://www.bytebase.com/docs/security/data-masking/data-classification/#manual-classification

data-masking/workspace/README.md

@@ -1,4 +1,4 @@
-# Configure IAM
+# IAM
 
 API: https://api.bytebase.com/#tag/projectservice/POST/v1/projects/{project}:setIamPolicy
 
@@ -8,3 +8,16 @@ curl --request POST "${bytebase_url}/v1/projects/${project_id}:setIamPolicy" \
   --header 'Authorization: Bearer '${bytebase_token} \
   --data @iam.json
 ```
+
+# Masking exception
+
+Docs: https://www.bytebase.com/docs/security/data-masking/access-unmasked-data/
+
+API: https://api.bytebase.com/#tag/orgpolicyservice/PATCH/v1/projects/{project}/policies/{policy}
+
+```bash
+export project_id=project-sample
+curl --request PATCH "${bytebase_url}/v1/projects/${project_id}/policies/masking_exception?allow_missing=true&update_mask=payload" \
+  --header 'Authorization: Bearer '${bytebase_token} \
+  --data @masking-exception.json
+```

data-security/README.md

@@ -1,10 +1,45 @@
-# Configure users
+# Users
+
+We highly recommend using [SSO](https://www.bytebase.com/docs/administration/sso/overview/) to provision
+user instead of using API.
+
+API: https://api.bytebase.com/#tag/authservice/POST/v1/users
+
+```bash
+## Create
+curl --request POST ${bytebase_url}/v1/users \
+  --header 'Authorization: Bearer '${bytebase_token} \
+  --data @user.json
+```
+
+```bash
+## Update
+curl --request PATCH "${bytebase_url}/v1/users/111" \
+  --header 'Authorization: Bearer '${bytebase_token} \
+  --data '{
+    "email":"[email protected]",
+    "title": "User updated",
+    "phone": "+14082121234"
+  }'
+```
+
+```bash
+## Deactivate
+curl --request DELETE "${bytebase_url}/v1/users/111" \
+  --header 'Authorization: Bearer '${bytebase_token}
+```
+
+```bash
+## Activate
+curl --request POST "${bytebase_url}/v1/users/111:undelete" \
+  --header 'Authorization: Bearer '${bytebase_token}
+```
 
 We don't provide example to configure users as we recommend using [SSO](https://www.bytebase.com/docs/administration/sso/overview/).
 
 Another challenge for configuring users is you need to specify the password, which is not desirable.
 
-# Configure groups
+# Groups
 
 You can skip this if you have [SCIM](https://www.bytebase.com/docs/administration/scim/overview/) to
 provision users and groups in an organization.
@@ -14,11 +49,27 @@ API: https://api.bytebase.com/#tag/groupservice
 ```bash
 ## Create
 curl --request POST ${bytebase_url}/v1/groups \
+  --header 'Authorization: Bearer '${bytebase_token} \
+  --data "$(jq -n --arg name 'groups/[email protected]' \
+    '. + {name: $name} + input' group.json)"
+```
+
+You must be the **Group Owner** to update/delete the group.
+
+```bash
+## Update
+curl --request PATCH "${bytebase_url}/v1/groups/[email protected]" \
   --header 'Authorization: Bearer '${bytebase_token} \
   --data @group.json
 ```
 
-# Configure custom roles
+```bash
+## Delete
+curl --request DELETE "${bytebase_url}/v1/groups/[email protected]" \
+  --header 'Authorization: Bearer '${bytebase_token}
+```
+
+# Custom roles
 
 Docs: https://www.bytebase.com/docs/administration/custom-roles/
 
@@ -38,7 +89,13 @@ curl --request PATCH "${bytebase_url}/v1/roles/auditor" \
   --data @custom-role.json
 ```
 
-# Configure IAM
+```bash
+## Delete
+curl --request DELETE "${bytebase_url}/v1/roles/auditor" \
+  --header 'Authorization: Bearer '${bytebase_token}
+```
+
+# IAM
 
 API: https://api.bytebase.com/#tag/workspaceservice
 
@@ -48,3 +105,55 @@ curl --request POST "${bytebase_url}/v1/workspaces/${workspace_id}:setIamPolicy"
   --header 'Authorization: Bearer '${bytebase_token} \
   --data @iam.json
 ```
+
+# Dynamic Data Masking
+
+Docs: https://www.bytebase.com/docs/security/data-masking/overview/
+
+## Global masking rule
+
+Docs: https://www.bytebase.com/docs/security/data-masking/global-masking-rule/
+
+API: https://api.bytebase.com/#tag/orgpolicyservice/PATCH/v1/policies/{policy}
+
+```bash
+curl --request PATCH "${bytebase_url}/v1/policies/masking_rule?allow_missing=true&update_mask=payload" \
+  --header 'Authorization: Bearer '${bytebase_token} \
+  --data @global-masking-rule.json
+```
+
+## Data classification
+
+Docs: https://www.bytebase.com/docs/security/data-masking/data-classification/
+
+API: https://api.bytebase.com/#tag/settingservice/PATCH/v1/settings/{setting}
+
+```bash
+curl --request PATCH ${bytebase_url}/v1/settings/bb.workspace.data-classification \
+  --header 'Authorization: Bearer '${bytebase_token} \
+  --data @data-classification.json
+```
+
+## Masking algorithm
+
+Docs: https://www.bytebase.com/docs/security/data-masking/masking-algorithm/
+
+API: https://api.bytebase.com/#tag/settingservice/PATCH/v1/settings/{setting}
+
+```bash
+curl --request PATCH ${bytebase_url}/v1/settings/bb.workspace.masking-algorithm \
+  --header 'Authorization: Bearer '${bytebase_token} \
+  --data @masking-algorithm.json
+```
+
+## Semantic type
+
+Docs: https://www.bytebase.com/docs/security/data-masking/semantic-types/
+
+API: https://api.bytebase.com/#tag/settingservice/PATCH/v1/settings/{setting}
+
+```bash
+curl --request PATCH ${bytebase_url}/v1/settings/bb.workspace.semantic-types \
+  --header 'Authorization: Bearer '${bytebase_token} \
+  --data @semantic-type.json
+```

data-masking/databases/hr_prod/README.md renamed to data-security/databases/hr_prod/README.md

@@ -1,13 +1,10 @@
 {
-    "name": "groups/[email protected]",
-    "title": "Contractor Group",
-    "description": "A group for contractors",
-    "creator": "users/[email protected]",
-    "members": [
-      {
-        "member": "users/[email protected]",
-        "role": "OWNER"
-      }
-    ],
-    "createTime": "2024-10-11T16:30:40.608Z"
-  }
+  "title": "Contractor Group",
+  "description": "A group for contractors",
+  "members": [
+    {
+      "member": "users/[email protected]",
+      "role": "OWNER"
+    }
+  ]
+}

data-masking/databases/hr_prod/column-masking.json renamed to data-security/databases/hr_prod/column-masking.json

@@ -0,0 +1,8 @@
+{
+  "email": "[email protected]",
+  "title": "Test 2",
+  "userType": "USER",
+  "password": "",
+  "mfaEnabled": false,
+  "phone": "+14082120000"
+}