Sensitive Data Discovery and Protection (SDDP) must be authorized to access you data in MaxCompute, Relational Database Service (RDS), or Object Storage Service (OSS) before SDDP can identify sensitive data in the service.

Authorize SDDP to access a MaxCompute project

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Security Configuration > Authorization Configuration. On the Authorization Configuration page that appears, click Configure Asset Authorization. In the Configure Asset Authorization dialog box that appears, click the MaxCompute Project Access Authorization tab.MaxCompute Project Access Authorization
  3. Set Region to the region where the MaxCompute project resides.
  4. Set Project Name.
    Note You must enter the exact name of the MaxCompute project.
  5. Run the following commands on the MaxCompute client to add the SDDP account yundun_sddp to the MaxCompute project. SDDP uses this account to access the MaxCompute project.
    add user aliyun$yundun_sddp;
    
    grant admin to aliyun$yundun_sddp;
  6. Click Complete Authorization.
    Note If the authorization fails, check whether the parameters about the MaxCompute project are correctly set and whether the SDDP account is successfully added to the MaxCompute project.
After the authorization is completed, the MaxCompute project appears in the list of authorized assets in the SDDP console. SDDP scans data in the MaxCompute project for sensitive data.
You can delete the MaxCompute project from the list. After you delete the MaxCompute project from the list, SDDP no longer scans data in the MaxCompute project.MaxCompute
Note After you delete the MaxCompute project from the list, if you no longer need to monitor data in the MaxCompute project, you can remove the SDDP account from the project on the MaxCompute client.

Authorize SDDP to access an RDS database

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Security Configuration > Authorization Configuration. On the Authorization Configuration page that appears, click Configure Asset Authorization. In the Configure Asset Authorization dialog box that appears, click the RDS Database Access Authorization tab.
  3. Set Region to the region where the RDS database resides.
  4. Select the RDS instance and database.
    Note You must enter the exact names of the RDS instance and database.
  5. Enter the username and password of a valid user of the RDS database.
  6. Click Complete Authorization.
    Note If the authorization fails, check whether the parameters about the RDS database are correctly set.
After the authorization is completed, the RDS database appears in the list of authorized assets in the SDDP console. SDDP scans data in the RDS database for sensitive data.
You can edit the RDS database or delete it from the list. When editing the RDS database, you can modify only the username and password for accessing the RDS database. After you delete the RDS database from the list, SDDP no longer scans data in the RDS database.RDS Database Access Authorization
Note After you delete the RDS database from the list, if you no longer need to monitor data in the RDS database, you can delete the IP address of the SDDP server from the whitelist in the RDS console.

Authorize SDDP to access an OSS bucket

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Security Configuration > Authorization Configuration. On the Authorization Configuration page that appears, click Configure Asset Authorization. In the Configure Asset Authorization dialog box that appears, click the OSS bucket Access Authorization tab.
  3. Select the OSS bucket in the Select OSS bucket that needs authorization section on the left, and click 0 to move the bucket to the Authorized OSS Bucket section on the right.
After the authorization is completed, the OSS bucket appears in the list of authorized assets in the SDDP console. SDDP scans data in the OSS bucket for sensitive data.

You can edit the OSS bucket or delete it from the list. After you click Edit in the Actions column for the OSS bucket, the Edit Connection Authorization dialog box appears. In this dialog box, you can manage the OSS buckets that SDDP is authorized to access. After you delete the OSS bucket from the list, SDDP no longer scans data in the OSS bucket.

Note SDDP only scans data in authorized OSS buckets and analyzes risks of sensitive data.

Troubleshoot an authorization failure

Troubleshoot an authorization failure based on the following possible causes:
  • The name of the MaxCompute project is incorrect or the SDDP account fails to be added to the MaxCompute project.
  • The username or password for accessing the RDS database is incorrect.
  • The IP address of the SDDP server is deleted from the whitelist in the RDS console.
  • The target instance that the SDDP needs to access is located in the classic network, but the public endpoint of the instance is inaccessible due to access control.