How to Ensure Data Governance for TiDB
TiDB is a distributed SQL database built for hybrid transactional and analytical processing (HTAP). It’s fast, horizontally scalable, and MySQL-compatible — but when it comes to enterprise-grade data governance, it needs a boost.
Data governance refers to the framework of policies, controls, and technologies that ensure data is secure, accurate, accessible, and compliant throughout its lifecycle. It includes managing user access, tracking changes, protecting sensitive information, and meeting regulatory obligations like GDPR, HIPAA, and SOX.
This guide shows how to apply governance to TiDB using its native tools and how to close the gaps with DataSunrise, a full-featured compliance and database security platform.
Why TiDB Needs Governance
Whether you’re storing customer records, financial transactions, or health data, governance ensures your database meets requirements for:
- Access control
- Auditability
- Sensitive data protection
- Regulatory compliance
TiDB provides foundational controls — but they’re often limited, manual, or missing altogether. Let’s start with what’s built-in.
Native TiDB Governance Tools
Role-Based Access Control
TiDB includes role management compatible with MySQL syntax. You can create roles and delegate access privileges like this:
CREATE ROLE 'compliance_auditor';
GRANT SELECT ON hr_data.* TO 'compliance_auditor';
GRANT 'compliance_auditor' TO 'alice'@'%';
See the official documentation on roles and grants for more.
Audit Logging (Enterprise & Cloud Dedicated)
Available in TiDB v7.1+ Enterprise and Dedicated Cloud tiers. You can filter what gets logged, redact SQL, and assign rules to users:
SET GLOBAL tidb_audit_enabled = 1;
CALL audit_log_create_filter('login_attempts', '{
"filter": [
{ "class": ["CONNECT"], "status_code": [0] },
{ "class": ["QUERY_DDL"] }
]
}');
CALL audit_log_create_rule('login_attempts', 'admin@%', true);
SET GLOBAL tidb_audit_log_redacted = ON;
Full configuration instructions are available in the TiDB Audit Logging Guide (PDF).
Cluster-Wide Log Search
Search audit logs across TiDB, TiKV, and PD nodes:
SELECT * FROM information_schema.cluster_log
WHERE message LIKE '%ddl%'
AND time > NOW() - INTERVAL 30 MINUTE;
Field definitions and usage examples are covered in the CLUSTER_LOG documentation.
Point-in-Time Recovery (PITR)
TiDB’s BR tool supports PITR from log backups:
tiup br log start --task-name=pitr \
--pd="${PD_IP}:2379" \
--storage 's3://mybucket/logs'
tiup br restore point \
--restored-ts '2025-07-10 12:00:00' \
--pd="${PD_IP}:2379" \
--storage 's3://mybucket/logs'
Read more in the TiDB PITR documentation.
Manual Data Discovery (Regex Queries)
SELECT table_name, column_name
FROM information_schema.columns
WHERE column_name REGEXP 'email|name|card|phone';
Useful, but limited — there’s no built-in classification, tagging, or mapping to compliance standards.
Where Native Features Fall Short
| Feature | Community | Enterprise/Dedicated Cloud | Notes |
|---|---|---|---|
| RBAC | ✅ | ✅ | Basic SQL grants |
| Structured Audit Logs | ❌ | ✅ (v7.1+) | JSON filters, no GUI |
| Redacted Logging | ❌ | ✅ | Manual toggle |
| Dynamic Masking | ❌ | ❌ | Not supported |
| Data Discovery | Manual | Manual | Regex only, no tagging or dashboards |
| Real-Time Alerts | ❌ | ❌ | External tooling required |
| Compliance Reports | ❌ | ❌ | Not available natively |
Extending Governance with DataSunrise
DataSunrise is a database security platform that integrates seamlessly with TiDB. It operates as a proxy or sniffer layer, inspecting traffic and applying compliance rules in real time—without requiring changes to your database or application logic.
It offers discovery, masking, auditing, and alerting features that close the compliance gaps left by native tools.
Sensitive Data Discovery
Unlike regex-based methods, DataSunrise includes a built-in engine for classifying columns by content and context. Its discovery module automatically detects PII, PHI, and financial data using preconfigured patterns aligned with major regulations.
You get schema-wide dashboards that highlight sensitive data across your TiDB environment.
Dynamic Data Masking
DataSunrise enables column-level masking based on who’s querying the database, what they’re accessing, and how. With masking rules, you can define:
- Full or partial masking
- Hashing, nulling, or regex substitution
- Rules based on user, IP, or schema context
It all happens before the query reaches TiDB.
Real-Time Alerts and Monitoring
Configure alerts for sensitive events like:
- Failed logins
- DDL changes
- Large query volumes
You can integrate with Slack, Microsoft Teams, email, or your SIEM via notification rules.
Compliance Reporting
DataSunrise makes audit output actionable with exportable PDF and CSV reports covering:
- Access logs
- Masking rule usage
- Classification summaries
These reports align with regulator expectations for GDPR, HIPAA, and SOX audits.
Visual Rule Management
Teams can define and manage governance policies through an intuitive UI, building and assigning rules without writing code. This makes it easier to scale governance efforts across teams and databases.
Architecture: Governance with DataSunrise and TiDB
To implement policy enforcement without changing your application logic or modifying TiDB internals, DataSunrise operates as a transparent proxy. It intercepts SQL queries, applies masking, logging, or alerting rules, and then passes them to TiDB as usual.
The diagram below illustrates how DataSunrise fits into the TiDB deployment model:
Governance Task Checklist
To help apply these practices step-by-step, here’s a quick breakdown of essential governance tasks and the tools best suited for each.
| Task | Tool | Description |
|---|---|---|
| Define roles & access | TiDB | Use CREATE ROLE, GRANT |
| Set up audit filters | TiDB Enterprise | JSON-based, filtered by event class |
| Enable PITR | TiDB BR | Log-based restore to a precise timestamp |
| Discover sensitive data | DataSunrise | Auto-scan and classify columns |
| Mask data dynamically | DataSunrise | Based on user, IP, schema, or role |
| Send real-time alerts | DataSunrise | Slack, Teams, email, SIEM |
| Generate audit reports | DataSunrise | Export compliance data in CSV or PDF |
Conclusion
TiDB offers strong foundational tools for access control and backup, but its governance features stop short of what modern compliance demands.
DataSunrise fills that gap with dynamic enforcement, automated classification, real-time alerting, and policy-based visibility — all without modifying your applications or database structure.
For teams seeking to implement full lifecycle governance in TiDB, it’s the practical, efficient path forward.
Protect Your Data with DataSunrise
Secure your data across every layer with DataSunrise. Detect threats in real time with Activity Monitoring, Data Masking, and Database Firewall. Enforce Data Compliance, discover sensitive data, and protect workloads across 50+ supported cloud, on-prem, and AI system data source integrations.
Start protecting your critical data today
Request a Demo Download Now