This topic describes how to customize desensitization rules in the Data Security Guard console so that DataWorks can dynamically desensitize the results of ad-hoc queries.
Customize desensitization rules in the Data Security Guard console
- Log on to the DataWorks console, find the target workspace, and click Data Analytics.
- Click the DataWorks icon in the upper-left corner and choose Note If you have not used the Data Security Guard service before, you will jump to the product page. Click Try Now on the page that appears to go to the Data Security Guard console.
- In the left-side navigation pane, choose .
- On the page that appears, set Masking Scene to Default (_default_scene_code). Click Create Rule in the upper-right corner to create a desensitization rule.
- In the Create Rule dialog box that appears, set Rule, Owner, and Method.
Currently, Data Security Guard provides three methods for desensitizing ID card numbers, including Pseudonymisation, Hashing, and Masking Out. For other types of data, only the Hashing and Masking Out methods are provided.
This method replaces the text of a data record with an artificial pseudonym of the same data type. If you select this method, you need to specify a security domain. Rules with different security domains generate different pseudonyms for the same data record.
If you select this method, you need to specify a security domain. Rules with different security domains generate different hash values for the same data record.
- Masking Out
This method uses asterisks (*) to mask specified parts of a data record. It is commonly used.
Configuration item Description Recommended You can select recommended policies to mask data of common types such as ID card numbers and bank card numbers. Custom You can flexibly specify whether to mask the specified number of characters at the first, middle, or last part of a data record.
- After the configuration is complete, click OK. You will jump to the Data Masking page.
- On the Data Masking page, switch the status of a rule to Active or Inactive as needed.
You can click the icon in the Actions column of the rule to test whether it works.
- Click the Whitelist tab. On the tab that appears, click Add Account in the upper-right corner.
- In the Add Account dialog box that appears, set Rule, Account, and Effective From and click Save.
You can specify either an Alibaba Cloud account or a RAM user in the Account field.Note If you query data beyond the time range specified for the whitelist, the query results will still be desensitized.