Sensitive Data Discovery and Protection (SDDP) must be authorized to access your data assets before it can detect sensitive data in the data assets. Supported data assets include data stored in MaxCompute, Relational Database Service (RDS), Object Storage Service (OSS), Tablestore, user-created databases hosted on Elastic Compute Service (ECS) instances, PolarDB-X, and PolarDB. This topic describes how to authorize SDDP to access your data assets.

Prerequisites

SDDP is activated and is authorized to access Alibaba Cloud resources. For more information, see Authorize SDDP to access Alibaba Cloud resources.

Background information

SDDP can access and scan specific data assets in other Alibaba Cloud services for sensitive data and de-identify the sensitive data only after you grant the required permissions to SDDP.

Authorize SDDP to access OSS buckets

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Data Protection Authorization > Data Asset authorization.
  3. On the OSS tab, click Unauthorized.
  4. Select the target OSS buckets and click Batch Operation.Batch operations
    You can also click Authorization in the Open Protection column for a single OSS bucket to authorize SDDP to access the OSS bucket.
  5. In the Batch Processing for Selected Assets dialog box, turn on or off the switches to configure the detection, audit, and de-identification permissions for SDDP and set the remaining parameters as required.Batch Operation
    Set the following switches and parameters:
    • Identify Permissions: specifies whether to grant SDDP the sensitive data detection permission on the selected data assets.
    • Audit Permissions: specifies whether to grant SDDP the audit permission on the selected data assets.
    • Desensitization Permissions: specifies whether to grant SDDP the sensitive data de-identification permission on the selected data assets.
    • Sensitive Data Sampling: the number of samples to be collected from the selected data assets. SDDP collects samples when it detects sensitive data in your data assets. You can use the sensitive data samples to further analyze the sensitive data. Valid values:
      • 0
      • 5
      • 10
    • Audit Log Archiving: the number of days for which audit logs are retained for the selected data assets. Valid values:
      • 30 Days
      • 90 Days
      • 180 Days
      Note You do not need to activate Log Service to archive audit logs generated by SDDP.
  6. Click Confirm.
    After the authorization is complete, SDDP scans authorized OSS buckets for sensitive data. When SDDP accesses an OSS bucket for the first time, SDDP automatically scans all the data stored in the OSS bucket, and a full-scan fee will be incurred. For more information, see How long does it take to scan data in my data asset after I authorize SDDP to access the data asset?

    In the list of authorized data assets, you can modify the authorization configuration of a data asset or cancel the authorization for a data asset. After you cancel the authorization for an OSS bucket, SDDP no longer scans the OSS bucket.

    Note SDDP scans only authorized OSS buckets and analyzes risks of sensitive data detected in these OSS buckets.

Authorize SDDP to access RDS databases

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Data Protection Authorization > Data Asset authorization.
  3. On the Cloud Hosting page, click the RDS tab.
  4. On the RDS tab, click Unauthorized.
  5. Find the target data assets and enter the username and password used to access each data asset in the Username and Password fields respectively.

    You can also click Batch Password Import in the upper-right corner and upload an authorization file to import logon information for multiple data assets at a time. For more information, see Import logon information for multiple data assets at a time.

    Notice Incorrect usernames or passwords will result in an authorization failure. Check the information that you enter before you submit the authorization configuration.
  6. Select the target data assets and click Batch Operation.
    You can also click Authorization in the Actions column for a single data asset to authorize SDDP to access the data asset.
  7. In the Batch Processing for Selected Assets dialog box, turn on or off the switches to configure the detection, audit, and de-identification permissions for SDDP and set the remaining parameters as required.
    Set the following switches and parameters:
    • Identify Permissions: specifies whether to grant SDDP the sensitive data detection permission on the selected data assets.
    • Audit Permissions: specifies whether to grant SDDP the audit permission on the selected data assets.

      SDDP allows you to collect audit logs that cover the generation, update, and use of your data assets. The log information includes the audit rule that is hit for a data asset, the type of the data asset, the type of the operation that hits the audit rule, and the operator account.

      Note After you enable the audit log feature for an RDS database, SQL Explorer is automatically enabled, which incurs corresponding fees. You are charged an hourly fee of USD 0.0018 per GB for using SQL Explorer of the non-trial edition. The fee is listed in the bill of your RDS service. For more information about how to view the fee, see View the spending details of an ApsaraDB for RDS instance. For more information about SQL Explorer, see SQL Explorer.
    • Desensitization Permissions: specifies whether to grant SDDP the sensitive data de-identification permission on the selected data assets.
    • Sensitive Data Sampling: the number of samples to be collected from the selected data assets. SDDP collects samples when it detects sensitive data in your data assets. You can use the sensitive data samples to further analyze the sensitive data. Valid values:
      • 0
      • 5
      • 10
    • Audit Log Archiving: the number of days for which audit logs are retained for the selected data assets. Valid values:
      • 30 Days
      • 90 Days
      • 180 Days
      Note You do not need to activate Log Service to archive audit logs generated by SDDP.
  8. Click Confirm.
    Note If the authorization fails, check whether the usernames and passwords are correct.
    After the authorization is complete, SDDP scans authorized data assets for sensitive data.

    In the list of authorized data assets, you can modify the authorization configuration of a data asset or cancel the authorization for a data asset. When you modify the authorization configuration of an RDS database, you can only modify the username and password for accessing the database. After you cancel the authorization for an RDS database, SDDP no longer scans the database.

Authorize SDDP to access PolarDB-X databases

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Data Protection Authorization > Data Asset authorization.
  3. On the Cloud Hosting page, click the DRDS tab.
  4. On the DRDS tab, click Unauthorized.
  5. Find the target data assets and enter the username and password used to access each data asset in the Username and Password fields respectively.

    You can also click Batch Password Import in the upper-right corner and upload an authorization file to import logon information for multiple data assets at a time. For more information, see #d6e922.

    Notice Incorrect usernames or passwords will result in an authorization failure. Check the information that you enter before you submit the authorization configuration.
  6. Select the target data assets and click Batch Operation.
    You can also click Authorization in the Actions column for a single data asset to authorize SDDP to access the data asset.
  7. In the Batch Processing for Selected Assets dialog box, turn on or off the switches to configure the detection, audit, and de-identification permissions for SDDP and set the remaining parameters as required.
    Set the following switches and parameters:
    • Identify Permissions: specifies whether to grant SDDP the sensitive data detection permission on the selected data assets.
    • Audit Permissions: specifies whether to grant SDDP the audit permission on the selected data assets.
    • Desensitization Permissions: specifies whether to grant SDDP the sensitive data de-identification permission on the selected data assets.
    • Sensitive Data Sampling: the number of samples to be collected from the selected data assets. SDDP collects samples when it detects sensitive data in your data assets. You can use the sensitive data samples to further analyze the sensitive data. Valid values:
      • 0
      • 5
      • 10
    • Audit Log Archiving: the number of days for which audit logs are retained for the selected data assets. Valid values:
      • 30 Days
      • 90 Days
      • 180 Days
      Note You do not need to activate Log Service to archive audit logs generated by SDDP.
  8. Click Confirm.
    Note If the authorization fails, check whether the usernames and passwords are correct.
    After the authorization is complete, SDDP scans authorized data assets for sensitive data.

    In the list of authorized data assets, you can modify the authorization configuration of a data asset or cancel the authorization for a data asset. When you modify the authorization configuration of a PolarDB-X database, you can only modify the username and password for accessing the database. After you cancel the authorization for a PolarDB-X database, SDDP no longer scans the database.

Authorize SDDP to access PolarDB databases

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Data Protection Authorization > Data Asset authorization.
  3. On the Cloud Hosting page, click the PolarDB tab.
  4. On the PolarDB tab, click Unauthorized.
  5. Find the target data assets and enter the username and password used to access each data asset in the Username and Password fields respectively.

    You can also click Batch Password Import in the upper-right corner and upload an authorization file to import logon information for multiple data assets at a time. For more information, see #d6e922.

    Notice Incorrect usernames or passwords will result in an authorization failure. Check the information that you enter before you submit the authorization configuration.
  6. Select the target data assets and click Batch Operation.
    You can also click Authorization in the Actions column for a single data asset to authorize SDDP to access the data asset.
  7. In the Batch Processing for Selected Assets dialog box, turn on or off the switches to configure the detection, audit, and de-identification permissions for SDDP and set the remaining parameters as required.
    Set the following switches and parameters:
    • Identify Permissions: specifies whether to grant SDDP the sensitive data detection permission on the selected data assets.
    • Audit Permissions: specifies whether to grant SDDP the audit permission on the selected data assets.
    • Desensitization Permissions: specifies whether to grant SDDP the sensitive data de-identification permission on the selected data assets.
    • Sensitive Data Sampling: the number of samples to be collected from the selected data assets. SDDP collects samples when it detects sensitive data in your data assets. You can use the sensitive data samples to further analyze the sensitive data. Valid values:
      • 0
      • 5
      • 10
    • Audit Log Archiving: the number of days for which audit logs are retained for the selected data assets. Valid values:
      • 30 Days
      • 90 Days
      • 180 Days
      Note You do not need to activate Log Service to archive audit logs generated by SDDP.
  8. Click Confirm.
    Note If the authorization fails, check whether the usernames and passwords are correct.
    After the authorization is complete, SDDP scans authorized data assets for sensitive data.

    In the list of authorized data assets, you can modify the authorization configuration of a data asset or cancel the authorization for a data asset. When you modify the authorization configuration of a PolarDB database, you can only modify the username and password for accessing the database. After you cancel the authorization for a PolarDB database, SDDP no longer scans the database.

Authorize SDDP to access Tablestore instances

You can authorize SDDP to access one or more Tablestore instances.

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Data Protection Authorization > Data Asset authorization.
  3. On the Cloud Hosting page, click the OTS tab.
  4. On the OTS tab, click Unauthorized.
  5. Select the target data assets and click Batch Operation.
    You can also click Authorization in the Actions column for a single data asset to authorize SDDP to access the data asset.
  6. In the Batch Processing for Selected Assets dialog box, turn on or off the switches to configure the detection, audit, and de-identification permissions for SDDP and set the remaining parameters as required.
    Set the following switches and parameters:
    • Identify Permissions: specifies whether to grant SDDP the sensitive data detection permission on the selected data assets.
    • Audit Permissions: specifies whether to grant SDDP the audit permission on the selected data assets.
    • Desensitization Permissions: specifies whether to grant SDDP the sensitive data de-identification permission on the selected data assets.
    • Sensitive Data Sampling: the number of samples to be collected from the selected data assets. SDDP collects samples when it detects sensitive data in your data assets. You can use the sensitive data samples to further analyze the sensitive data. Valid values:
      • 0
      • 5
      • 10
    • Audit Log Archiving: the number of days for which audit logs are retained for the selected data assets. Valid values:
      • 30 Days
      • 90 Days
      • 180 Days
      Note You do not need to activate Log Service to archive audit logs generated by SDDP.
  7. Click Confirm.
    After the authorization is complete, SDDP scans authorized data assets for sensitive data.

Authorize SDDP to access user-created databases hosted on ECS instances

A database hosted on an ECS instance must meet the following requirements before it can be scanned by SDDP:
  • The ECS instance resides in a virtual private cloud (VPC).
  • The database is a MySQL or SQL Server database.
  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Data Protection Authorization > Data Asset authorization.
  3. On the Cloud Hosting page, click the ECS Self-built Database tab.
  4. On the ECS Self-built Database tab, click Add Data Assets.
  5. In the Asset Authorization dialog box, set the parameters as required and click Next.
    The following table describes the parameters for adding a user-created database hosted on an ECS instance to SDDP.
    Parameter Description
    Region The region of the database that you want to authorize SDDP to access.
    ECS Instance ID The ID of the ECS instance where the database is hosted.
    Database Type The type of the database that you want to authorize SDDP to access. Valid values: MySQL and SQL Server.
    Library Name The name of the database that you want to authorize SDDP to access.
    Note If you also need to authorize SDDP to access other user-created databases hosted on the ECS instance, click Add Database to add the databases.
    Port The port number used to access the database.
    User Name The username and password of a valid user of the database.
    Password
  6. In the Batch Processing for Selected Assets dialog box, turn on or off the switches to configure the detection, audit, and de-identification permissions for SDDP and set the remaining parameters as required.
    Set the following switches and parameters:
    • Identify Permissions: specifies whether to grant SDDP the sensitive data detection permission on the selected data assets.
    • Audit Permissions: specifies whether to grant SDDP the audit permission on the selected data assets.
    • Desensitization Permissions: specifies whether to grant SDDP the sensitive data de-identification permission on the selected data assets.
    • Sensitive Data Sampling: the number of samples to be collected from the selected data assets. SDDP collects samples when it detects sensitive data in your data assets. You can use the sensitive data samples to further analyze the sensitive data. Valid values:
      • 0
      • 5
      • 10
    • Audit Log Archiving: the number of days for which audit logs are retained for the selected data assets. Valid values:
      • 30 Days
      • 90 Days
      • 180 Days
      Note You do not need to activate Log Service to archive audit logs generated by SDDP.
  7. Click Confirm.
    After the authorization is complete, SDDP scans authorized data assets for sensitive data.

Authorize SDDP to access a MaxCompute project

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Data Protection Authorization > Data Asset authorization.
  3. On the Cloud Hosting page, click the MaxCompute tab.
  4. On the MaxCompute tab, click Add Data Assets.
  5. In the Add Data Assets dialog box, set the parameters as required. The following table describes the parameters for adding a MaxCompute project to SDDP.
    Parameter Description
    Region The region of the MaxCompute project that you want to authorize SDDP to access.
    Project Name The name of the MaxCompute project that you want to authorize SDDP to access.
    Note You must enter the exact name of the MaxCompute project.
  6. Run the following commands on the MaxCompute client to add the SDDP account yundun_sddp to the MaxCompute project. SDDP uses this account to access the MaxCompute project.
    add user aliyun$yundun_sddp;
    
    grant admin to aliyun$yundun_sddp;

    Perform one of the following operations based on the returned result:

    • If the preceding commands are run and no error message is returned, go to Step 8.
    • If an error message is returned, go to Step 7.
  7. Optional:Run the following command on the MaxCompute client to add the service IP addresses of SDDP to the IP address whitelist of the MaxCompute project:
    
    setproject odps.security.ip.whitelist=11.193.236.0/24,11.193.64.0/24,11.193.58.0/24 odps.security.vpc.whitelist=<VPC ID>;
    // In the preceding command, 11.193.236.0/24, 11.193.64.0/24, and 11.193.58.0/24 are the Classless Inter-Domain Routing (CIDR) blocks used by SDDP on the classic network. They must be added to the IP address whitelist.
    // Replace the VPC ID with that of the region where your MaxCompute project resides. The following table lists the VPC IDs of the supported regions.

    If the IP address whitelist feature is enabled for your MaxCompute project, you must add the service IP addresses of SDDP to the IP address whitelist of the MaxCompute project. You can run the setproject; command to check whether the IP address whitelist feature is enabled. If the value of the odps.security.vpc.whitelist parameter is empty, the IP address whitelist feature is not enabled. In this case, you can skip this step.

    Region Region ID VPC ID
    China (Zhangjiakou-Beijing Winter Olympics) cn-zhangjiakou cn-zhangjiakou_399229
    China (Beijing) cn-beijing cn-beijing_691047
    China (Shenzhen) cn-shenzhen cn-shenzhen_515895
    China (Shanghai) cn-shanghai cn-shanghai_28803
    China (Hangzhou) cn-hangzhou cn-hangzhou_551733
    Note After you configure the IP address whitelist, wait 5 minutes before you go to the next step.
  8. Click Confirm.
    Note If the authorization fails, check whether the parameters about the MaxCompute project are correctly set and whether the SDDP account is added to the MaxCompute project.
    After the authorization is complete, SDDP scans authorized MaxCompute project for sensitive data.

    In the list of authorized MaxCompute projects, you can cancel the authorization for a MaxCompute project. After you cancel the authorization for a MaxCompute project, SDDP no longer scans the project.

Import logon information for multiple data assets at a time

SDDP allows you to upload an EXCEL file to import logon information for multiple data assets, including RDS databases, PolarDB-X databases, and PolarDB databases, at a time to improve authorization efficiency. To import logon information for multiple data assets at a time, perform the following steps:

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Data Protection Authorization > Data Asset authorization.
  3. On the Cloud Hosting page, click Batch Password Import in the upper-right corner.
  4. In the Batch Password Import dialog box, click SDDP Authorization File Template.xlsx to download the template file.
  5. Open the downloaded file, enter the username and password used to access each data asset in the user name and password columns, and then save the file.
    If you modify the existing usernames and passwords in the downloaded file and upload the file to the SDDP console, the logon information saved in the SDDP console will be updated.
  6. In the Batch Password Import dialog box, click File Upload to upload the template file that you have edited.
  7. Click OK.
    After you upload the EXCEL file, the usernames and passwords that you enter in the file will be synchronized to the Username and Password columns for the relevant databases on the RDS, DRDS, and PolarDB tabs, as shown in the following figure. Then, you can authorize SDDP to access these data assets without the need to manually enter the logon information in the SDDP console.After the import

Troubleshoot an authorization failure

An authorization failure may occur when you authorize SDDP to access your data assets. In this case, you can troubleshoot the authorization failure based on the following possible causes:
  • Possible causes of an authorization failure for RDS
    • The username or password for accessing the RDS database is invalid.
    • The service IP addresses of SDDP are deleted from the whitelist of the RDS database.
    • The RDS database resides in the classic network, but the public endpoint of the RDS database is inaccessible due to access control.
  • Possible causes of an authorization failure for MaxCompute
    • The name of the MaxCompute project is invalid.
    • The SDDP account fails to be added to the MaxCompute project.