Sensitive Data Discovery and Protection (SDDP) must be authorized to access specific data assets before it can detect sensitive data in the data assets. Supported data assets include Object Storage Service (OSS) buckets, ApsaraDB RDS databases, DRDS databases, PolarDB databases, Tablestore instances, self-managed databases hosted on Elastic Compute Service (ECS) instances, and MaxCompute projects. This topic shows you how to authorize SDDP to access specific data assets.

Prerequisites

SDDP is activated. SDDP is authorized to access Alibaba Cloud resources. For more information, see Authorize SDDP to access Alibaba Cloud resources.

Background information

You can authorize SDDP to access specific data assets in Alibaba Cloud services. If you do not authorize SDDP to access the data assets, SDDP cannot detect sensitive data in Alibaba Cloud services or de-identify the sensitive data.

Authorize SDDP to access OSS buckets

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Data asset authorization > Data asset authorization.
  3. On the OSS tab, click Unauthorized.
  4. Select the OSS buckets that you want to authorize SDDP to access and click Batch operation.Batch operation
    You can also click Authorization in the Open protection column for a single OSS bucket to authorize SDDP to access the OSS bucket.
  5. In the Batch processing for selected assets dialog box, turn on or off the switches to configure the detection, audit, and de-identification permissions for SDDP and set the remaining parameters as required.Batch operation page
    Set the following switches and parameters:
    • Identify permissions: specifies whether to grant SDDP the sensitive data detection permission on the selected data assets.
    • Audit permissions: specifies whether to grant SDDP the audit permission on the selected data assets.
    • Desensitization permissions: specifies whether to grant SDDP the sensitive data de-identification permission on the selected data assets.
    • Sensitive data sampling: the number of samples that SDDP collects from the selected data assets. SDDP collects samples when it detects sensitive data in the data assets. You can use the sensitive data samples to further analyze the sensitive data. Valid values:
      • 0
      • 5
      • 10
    • Audit log archiving: the number of days for which audit logs are retained for the selected data assets. Valid values:
      • 30 days
      • 90 days
      • 180 days
      Note You do not need to activate Log Service to archive audit logs that are generated by SDDP.
  6. Click OK.
    After the authorization is completed, SDDP scans authorized OSS buckets for sensitive data. When SDDP accesses an OSS bucket for the first time, SDDP automatically scans all the data in the OSS bucket, and you are charged for the full scan. For more information, see How long does it take to scan data in my data asset after I authorize SDDP to access the data asset?.

    In the list of authorized data assets, you can modify the authorization configuration for a data asset or cancel the authorization for a data asset. After you cancel the authorization, SDDP no longer scans the OSS bucket.

    Note SDDP scans only authorized OSS buckets and analyzes risks of sensitive data detected in these OSS buckets.

Authorize SDDP to access ApsaraDB RDS databases

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Data asset authorization > Data asset authorization.
  3. On the Cloud hosting page, click the RDS tab.
  4. On the RDS tab, click Unauthorized.
  5. Find the data assets that you want to authorize SDDP to access and enter the username and password that are used to access each data asset in the Username and Password fields.

    You can also click Batch password import to import logon information for multiple data assets at a time. For more information, see Import usernames and passwords for multiple data assets at a time.

    Notice Incorrect usernames or passwords cause an authorization failure. Make sure that you enter correct usernames and passwords.
  6. Select the data assets that you want to authorize SDDP to access and click Batch operation.
    You can also click Authorization in the Actions column for a single data asset to authorize SDDP to access the data asset.
  7. In the Batch processing for selected assets dialog box, turn on or off the switches to configure the detection, audit, and de-identification permissions for SDDP and set the remaining parameters as required.
    Set the following switches and parameters:
    • Identify permissions: specifies whether to grant SDDP the sensitive data detection permission on the selected data assets.
    • Audit permissions: specifies whether to grant SDDP the audit permission on the selected data assets.

      SDDP allows you to collect audit logs that cover the generation, update, and use of your data assets. The log information includes the audit rule that is hit for a data asset, the type of the data asset, the type of the operation that hits the audit rule, and the operator account.

      Note After you enable the audit log feature for an ApsaraDB RDS database, SQL Explorer is automatically enabled, and you are charged for using SQL Explorer.You are charged an hourly fee of USD 0.0018 per GB for using SQL Explorer of the non-trial edition. The fee is listed in the bill of your ApsaraDB RDS service. For more information about how to view the fee, see View the spending details of an ApsaraDB for RDS instance. For more information about SQL Explorer, see SQL Explorer.
    • Desensitization permissions: specifies whether to grant SDDP the sensitive data de-identification permission on the selected data assets.
    • Sensitive data sampling: the number of samples that SDDP collects from the selected data assets. SDDP collects samples when it detects sensitive data in the data assets. You can use the sensitive data samples to further analyze the sensitive data. Valid values:
      • 0
      • 5
      • 10
    • Audit log archiving: the number of days for which audit logs are retained for the selected data assets. Valid values:
      • 30 days
      • 90 days
      • 180 days
      Note You do not need to activate Log Service to archive audit logs that are generated by SDDP.
  8. Click OK.
    Note If the authorization fails, check whether the usernames and passwords are correct.
    After the authorization is completed, SDDP scans authorized data assets for sensitive data.

    In the list of authorized data assets, you can modify the authorization configuration for a data asset or cancel the authorization for a data asset. When you modify the authorization configuration for an ApsaraDB RDS database, you can modify only the username and password for accessing the database. After you cancel the authorization, SDDP no longer scans the database.

Authorize SDDP to access DRDS databases

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Data asset authorization > Data asset authorization.
  3. On the Cloud hosting page, click the DRDS tab.
  4. On the DRDS tab, click Unauthorized.
  5. Find the data assets that you want to authorize SDDP to access and enter the username and password that are used to access each data asset in the Username and Password fields.

    You can also click Batch password import to import logon information for multiple data assets at a time. For more information, see Import usernames and passwords for multiple data assets at a time.

    Notice Incorrect usernames or passwords cause an authorization failure. Make sure that you enter correct usernames and passwords.
  6. Select the data assets that you want to authorize SDDP to access and click Batch operation.
    You can also click Authorization in the Actions column for a single data asset to authorize SDDP to access the data asset.
  7. In the Batch processing for selected assets dialog box, turn on or off the switches to configure the detection, audit, and de-identification permissions for SDDP and set the remaining parameters as required.
    Set the following switches and parameters:
    • Identify permissions: specifies whether to grant SDDP the sensitive data detection permission on the selected data assets.
    • Audit permissions: specifies whether to grant SDDP the audit permission on the selected data assets.
    • Desensitization permissions: specifies whether to grant SDDP the sensitive data de-identification permission on the selected data assets.
    • Sensitive data sampling: the number of samples that SDDP collects from the selected data assets. SDDP collects samples when it detects sensitive data in the data assets. You can use the sensitive data samples to further analyze the sensitive data. Valid values:
      • 0
      • 5
      • 10
    • Audit log archiving: the number of days for which audit logs are retained for the selected data assets. Valid values:
      • 30 days
      • 90 days
      • 180 days
      Note You do not need to activate Log Service to archive audit logs that are generated by SDDP.
  8. Click OK.
    Note If the authorization fails, check whether the usernames and passwords are correct.
    After the authorization is completed, SDDP scans authorized data assets for sensitive data.

    In the list of authorized data assets, you can modify the authorization configuration for a data asset or cancel the authorization for a data asset. When you modify the authorization configuration for a DRDS database, you can modify only the username and password for accessing the database. After you cancel the authorization, SDDP no longer scans the database.

Authorize SDDP to access PolarDB databases

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Data asset authorization > Data asset authorization.
  3. On the Cloud hosting page, click the PolarDB tab.
  4. On the PolarDB tab, click Unauthorized.
  5. Find the data assets that you want to authorize SDDP to access and enter the username and password that are used to access each data asset in the Username and Password fields.

    You can also click Batch password import to import logon information for multiple data assets at a time. For more information, see Import usernames and passwords for multiple data assets at a time.

    Notice Incorrect usernames or passwords cause an authorization failure. Make sure that you enter correct usernames and passwords.
  6. Select the data assets that you want to authorize SDDP to access and click Batch operation.
    You can also click Authorization in the Actions column for a single data asset to authorize SDDP to access the data asset.
  7. In the Batch processing for selected assets dialog box, turn on or off the switches to configure the detection, audit, and de-identification permissions for SDDP and set the remaining parameters as required.
    Set the following switches and parameters:
    • Identify permissions: specifies whether to grant SDDP the sensitive data detection permission on the selected data assets.
    • Audit permissions: specifies whether to grant SDDP the audit permission on the selected data assets.
    • Desensitization permissions: specifies whether to grant SDDP the sensitive data de-identification permission on the selected data assets.
    • Sensitive data sampling: the number of samples that SDDP collects from the selected data assets. SDDP collects samples when it detects sensitive data in the data assets. You can use the sensitive data samples to further analyze the sensitive data. Valid values:
      • 0
      • 5
      • 10
    • Audit log archiving: the number of days for which audit logs are retained for the selected data assets. Valid values:
      • 30 days
      • 90 days
      • 180 days
      Note You do not need to activate Log Service to archive audit logs that are generated by SDDP.
  8. Click OK.
    Note If the authorization fails, check whether the usernames and passwords are correct.
    After the authorization is completed, SDDP scans authorized data assets for sensitive data.

    In the list of authorized data assets, you can modify the authorization configuration for a data asset or cancel the authorization for a data asset. When you modify the authorization configuration for a PolarDB database, you can modify only the username and password for accessing the database. After you cancel the authorization, SDDP no longer scans the database.

Authorize SDDP to access Tablestore instances

OTS refers to Tablestore.

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Data asset authorization > Data asset authorization.
  3. On the Cloud hosting page, click the OTS tab.
  4. On the OTS tab, click Unauthorized.
  5. Select the data assets that you want to authorize SDDP to access and click Batch operation.
    You can also click Authorization in the Actions column for a single data asset to authorize SDDP to access the data asset.
  6. In the Batch processing for selected assets dialog box, turn on or off the switches to configure the detection, audit, and de-identification permissions for SDDP and set the remaining parameters as required.
    Set the following switches and parameters:
    • Identify permissions: specifies whether to grant SDDP the sensitive data detection permission on the selected data assets.
    • Audit permissions: specifies whether to grant SDDP the audit permission on the selected data assets.
    • Desensitization permissions: specifies whether to grant SDDP the sensitive data de-identification permission on the selected data assets.
    • Sensitive data sampling: the number of samples that SDDP collects from the selected data assets. SDDP collects samples when it detects sensitive data in the data assets. You can use the sensitive data samples to further analyze the sensitive data. Valid values:
      • 0
      • 5
      • 10
    • Audit log archiving: the number of days for which audit logs are retained for the selected data assets. Valid values:
      • 30 days
      • 90 days
      • 180 days
      Note You do not need to activate Log Service to archive audit logs that are generated by SDDP.
  7. Click OK.
    After the authorization is completed, SDDP scans authorized data assets for sensitive data.

Authorize SDDP to access self-managed databases hosted on ECS instances

A self-managed database hosted on an ECS instance must meet the following requirements before it can be scanned by SDDP:
  • The ECS instance on which the self-managed database is hosted resides in a virtual private cloud (VPC) so that SDDP can scan the database.
  • The self-managed database hosted on the ECS instance is a MySQL or SQL Server database.
  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Data asset authorization > Data asset authorization.
  3. On the Cloud hosting page, click the ECS self-built database tab.
  4. On the ECS self-built database tab, click Add data assets.
  5. In the Asset authorization dialog box, set the parameters as required and click Next.
    The following table describes the parameters for adding a self-managed database hosted on an ECS instance to SDDP.
    Parameter Description
    Region The region of the self-managed database that is hosted on the ECS instance and you want to authorize SDDP to access.
    ECS instance ID The ID of the ECS instance on which the self-managed database that you want to authorize SDDP to access is hosted.
    Database type The type of the self-managed database that is hosted on the ECS instance and you want to authorize SDDP to access. SDDP supports the following two types of self-managed databases hosted on ECS instances: MySQL and SQL Server.
    Library name The name of the self-managed database that is hosted on the ECS instance and you want to authorize SDDP to access.
    Note If you also need to authorize SDDP to access other self-managed databases hosted on the ECS instance, click Add Database to add the databases.
    Port The port number used to access the self-managed database hosted on the ECS instance.
    User name The username and password of a valid user of the self-managed database hosted on the ECS instance.
    Password
  6. In the Batch processing for selected assets dialog box, turn on or off the switches to configure the detection, audit, and de-identification permissions for SDDP and set the remaining parameters as required.
    Set the following switches and parameters:
    • Identify permissions: specifies whether to grant SDDP the sensitive data detection permission on the selected data assets.
    • Audit permissions: specifies whether to grant SDDP the audit permission on the selected data assets.
    • Desensitization permissions: specifies whether to grant SDDP the sensitive data de-identification permission on the selected data assets.
    • Sensitive data sampling: the number of samples that SDDP collects from the selected data assets. SDDP collects samples when it detects sensitive data in the data assets. You can use the sensitive data samples to further analyze the sensitive data. Valid values:
      • 0
      • 5
      • 10
    • Audit log archiving: the number of days for which audit logs are retained for the selected data assets. Valid values:
      • 30 days
      • 90 days
      • 180 days
      Note You do not need to activate Log Service to archive audit logs that are generated by SDDP.
  7. Click OK.
    After the authorization is completed, SDDP scans authorized data assets for sensitive data.

Authorize SDDP to access a MaxCompute project

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Data asset authorization > Data asset authorization.
  3. On the Cloud hosting page, click the MaxCompute tab.
  4. On the MaxCompute tab, click Add data assets.
  5. In the Add data assets dialog box, set the parameters as required. The following table describes the parameters for adding a MaxCompute project to SDDP.
    Parameter Description
    Region The region of the MaxCompute project that you want to authorize SDDP to access.
    Project Name The name of the MaxCompute project.
    Note Fuzzy search is not supported. You must enter the exact name of the project.
  6. Run the following commands on the MaxCompute client to add the SDDP account yundun_sddp to the MaxCompute project. SDDP uses this account to access the MaxCompute project.
    add user aliyun$yundun_sddp;
    
    grant admin to aliyun$yundun_sddp;

    Perform one of the following operations based on the returned result:

    • If no error message is returned after the preceding commands are run, go to Step 8.
    • If an error message is returned after the preceding commands are run, go to Step 7.
  7. Optional:Run the following command to add the service IP addresses of SDDP to the IP address whitelist of the MaxCompute project:
    
    setproject odps.security.ip.whitelist=11.193.236.0/24,11.193.64.0/24,11.193.58.0/24 odps.security.vpc.whitelist=<VPC ID>;
    // 11.193.236.0/24, 11.193.64.0/24, and 11.193.58.0/24 are the Classless Inter-Domain Routing (CIDR) blocks used by SDDP on the classic network. They must be added to the IP address whitelist.
    // Replace the VPC ID with that of the region where your MaxCompute project resides. The following table describes the VPC IDs of the supported regions.

    If the IP address whitelist feature is enabled for your MaxCompute project, you must add the service IP addresses of SDDP to the IP address whitelist of the MaxCompute project. You can run the setproject; command to check whether the IP address whitelist feature is enabled for your MaxCompute project. If the value of the odps.security.vpc.whitelist parameter is empty, the IP address whitelist feature is not enabled. In this case, you can skip this step.

    Region Region ID VPC ID
    China (Zhangjiakou) cn-zhangjiakou cn-zhangjiakou_399229
    China (Beijing) cn-beijing cn-beijing_691047
    China (Shenzhen) cn-shenzhen cn-shenzhen_515895
    China (Shanghai) cn-shanghai cn-shanghai_28803
    China (Hangzhou) cn-hangzhou cn-hangzhou_551733
    Note After you configure the IP address whitelist, wait 5 minutes before you go to the next step.
  8. Click OK.
    Note If the authorization fails, check whether the authorization parameters are correctly set and whether the SDDP account is added to the MaxCompute project.
    After the authorization is completed, SDDP scans the authorized MaxCompute project for sensitive data.

    In the list of authorized MaxCompute projects, you can cancel the authorization for a MaxCompute project. After you cancel the authorization, SDDP no longer scans the project.

Import usernames and passwords for multiple data assets at a time

SDDP allows you to upload an EXCEL file to import usernames and passwords for multiple data assets at a time. This way, you can authorize SDDP to access multiple data assets at a time. The data assets include ApsaraDB RDS databases, DRDS databases, and PolarDB databases. To import usernames and passwords for multiple data assets at a time, perform the following steps:

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Data asset authorization > Data asset authorization.
  3. On the Cloud hosting page, click Batch password import in the upper-right corner.
  4. In the Batch password import dialog box, click SDDP Authorization File Template.xlsx.
  5. Open the downloaded template file, enter the username and password used to access each data asset in the user name and password columns, and then save the template file.
    If you modify the existing usernames and passwords in the template file and upload the file to the SDDP console, the usernames and passwords saved in the SDDP console are updated.
  6. In the Batch password import dialog box, click File Upload to upload the template file that you have edited.
  7. Click OK.
    The EXCEL file is uploaded. Then, SDDP synchronizes the usernames and passwords that you enter in the file to the Username and Password columns for the related databases on the RDS, DRDS, and PolarDB tabs. The following figure shows that the usernames and passwords are imported. You can authorize SDDP to access these databases on the Cloud hosting page without the need to manually enter the usernames and passwords for accessing the databases.After the import

Troubleshoot an authorization failure

An authorization failure may occur when you authorize SDDP to access your data assets. You can troubleshoot an authorization failure based on the following possible causes:
  • Possible causes of an authorization failure for ApsaraDB RDS
    • The username or password for accessing the ApsaraDB RDS database is invalid.
    • The service IP addresses of SDDP are deleted from the whitelist of the ApsaraDB RDS database.
    • The ApsaraDB RDS database resides on the classic network, but the public endpoint of the ApsaraDB RDS database is inaccessible due to access control.
  • Possible causes of an authorization failure for MaxCompute
    • The name of the MaxCompute project is invalid.
    • The SDDP account fails to be added to the MaxCompute project.