This topic describes how to customize desensitization rules in the Data Security Guard console so that DataWorks can dynamically desensitize the results of ad-hoc queries.

Customize desensitization rules in the Data Security Guard console

Note You must first activate the Data Security Guard service to customize desensitization rules.
  1. Log on to the DataWorks console, find the target workspace, and click Data Analytics.
  2. Click the DataWorks icon in the upper-left corner and choose All Products > Data Security Guard.
    Note If you have not used the Data Security Guard service before, you will jump to the product page. Click Try Now on the page that appears to go to the Data Security Guard console.
  3. In the left-side navigation pane, choose Management > Data Masking.
  4. On the page that appears, set Masking Scene to Default (_default_scene_code). Click Create Rule in the upper-right corner to create a desensitization rule.
  5. In the Create Rule dialog box that appears, set Rule, Owner, and Method.

    Currently, Data Security Guard provides three methods for desensitizing ID card numbers, including Pseudonymisation, Hashing, and Masking Out. For other types of data, only the Hashing and Masking Out methods are provided.

    • Pseudonymisation

      This method replaces the text of a data record with an artificial pseudonym of the same data type. If you select this method, you need to specify a security domain. Rules with different security domains generate different pseudonyms for the same data record.

    • Hashing

      If you select this method, you need to specify a security domain. Rules with different security domains generate different hash values for the same data record.

    • Masking Out

      This method uses asterisks (*) to mask specified parts of a data record. It is commonly used.

      Configuration item Description
      Recommended You can select recommended policies to mask data of common types such as ID card numbers and bank card numbers.
      Custom You can flexibly specify whether to mask the specified number of characters at the first, middle, or last part of a data record.
  6. After the configuration is complete, click OK. You will jump to the Data Masking page.
  7. On the Data Masking page, switch the status of a rule to Active or Inactive as needed.

    You can click the 预览 icon in the Actions column of the rule to test whether it works.

  8. Click the Whitelist tab. On the tab that appears, click Add Account in the upper-right corner.
  9. In the Add Account dialog box that appears, set Rule, Account, and Effective From and click Save.

    You can specify either an Alibaba Cloud account or a RAM user in the Account field.

    Note If you query data beyond the time range specified for the whitelist, the query results will still be desensitized.

Verify the desensitization effect in DataWorks

After you successfully created and configured desensitization rules, DataWorks dynamically desensitizes the results of ad-hoc queries in your workspace based on the rules.
Note You must first turn on the Mask Data in Page Query Results switch for your workspace in the DataWorks console.