Manage sensitive data - Data Management - Alibaba Cloud Documentation Center

This topic describes how to configure sensitive fields and data masking rules, and how to apply for permissions on sensitive data.

Prerequisites

You are a Data Management (DMS) administrator, a database administrator (DBA), or a security administrator.
Note
To view the role of your account, move the pointer over theicon in the upper-right corner of the DMS console.
Supported databases
- Relational databases
  MySQL, SQL Server, PostgreSQL, MariaDB, PolarDB for PostgreSQL(Compatible with Oracle),PolarDB for Xscale, ApsaraDB for OceanBase, Oracle, DB2, Dameng (DM), Lindorm_CQL, Lindorm_SQL, OpenGauss.
- Data warehouses
  AnalyticDB for MySQL, AnalyticDB for PostgreSQL, Data Lake Analytics (DLA), ClickHouse, MaxCompute, Hologres, Hive.
The sensitive data protection feature is enabled. For more information, see Enable the sensitive data protection feature.

Configure sensitive fields

Note

This feature is available only for administrators.

Log on to the DMS console V5.0.
In the Database instance section in the left-side navigation pane, search for the database that you want to manage.
Right-click the database that you want to manage and select Tables to go to the Table List page.
Note
You can also navigate to the SQLConsole tab and access the details page of a table. In the top navigation bar, choose SQL Console > SQL Console, select the database that you want to manage, and then click Confirm. On the SQLConsole tab, click the icon in the upper-right corner to go to the Table List page.
Click the icon to the left of the table that you want to manage, and click Adjust on the Column tab. In the Adjust Sensitivity Level dialog box, adjust the sensitivity level of one or more fields.
Click Submit for Security Department Approval.
You are navigated to the SensitivityTicket Details page. Click Approve. The task is executed.
Note
The submitted ticket is approved by a user who serves as the role of administrator, database administrator (DBA), or security administrator.
The sensitivity level of the field or fields is adjusted.
Return to the SQLConsole tab, double-click the table that you just managed, and then check whether the field or fields for which the sensitivity level was adjusted are masked. The default data masking algorithm type is full redaction.
Note
All Data Management (DMS) users, including DMS administrators and DBAs, must apply for permissions on sensitive fields before they can view the data of the sensitive fields. For more information, see Apply for permissions on sensitive fields.

Configure data masking rules

Log on to the DMS console V5.0.
In the top navigation bar, choose Security and Specifications > Sensitive Data > Sensitive Data Assets.
Note
If you use the DMS console in simple mode, move the pointer over the icon in the upper-left corner and choose All functions > Security and Specifications > Sensitive Data > Sensitive Data Assets.
On the Sensitive Data Assets page, click Global Sensitive Data in the upper-right corner.
On the Field Control tab, select one or more fields for which you want to change the data masking rule, and click Change Masking Rule.
Select an existing data masking rule or create a data masking rule.
- To use an existing data masking rule, select one from the drop-down list, and click Save.
- To create a data masking rule, click Create Data Masking Rule. On the Data Masking Rule page, click Create Data Masking Rule, and configure the required information, including rule name and data masking algorithm, on the Create Rule page. For more information, see Create a data masking algorithm.

Apply for permissions on sensitive fields

Note

All DMS users, including DMS administrators and DBAs, must apply for permissions on specific sensitive fields before they can query the data of the sensitive fields. This example demonstrates how to apply for permissions on sensitive fields as a regular user.

Log on to the DMS console V5.0.
In the top navigation bar, choose Security and Specifications > Permission Center > Permission Tickets.
Note
If you use the DMS console in simple mode, move the pointer over the icon in the upper-left corner and choose All functions > Security and Specifications > Permission Center > Permission Tickets.
In the upper-right corner of the page, choose Access apply > Sensitive Column-Permission.
On the permission application ticket page, enter the name of the database that you want to manage in the search box, click Search, and then select the sensitive field on which you want to apply for permissions.
Click Add. The sensitive field appears in the Selected Databases/Tables/Columns section.

In the Select Permission section, set the parameters that are described in the following table and click Submit.

shenqingliequanxian

Parameter	Description
Permission	The type of permission that you want to apply for. You can select one or more permission types. Valid values: Query, Export, and Change.
Data Masking Method	The way in which the sensitive data is displayed. Valid values: Semi-sensitization: The data is displayed in the format that is generated after the specified data masking algorithm is run. Plain Text: The data is displayed in plaintext. Note If you set the Permission parameter to Export and the Data Masking Method parameter to Semi-sensitization, the data exported from the sensitive field is partially masked.
Duration	The validity period of the selected permissions.
Reason	The description of the business background and the reason for this application. This reduces unnecessary communication and facilitates the approval process.

Note

After the application is submitted, wait for approval. You can click Submitted Tickets in the My Tickets section on the homepage of the DMS console to view the status of the permission application ticket.

After the ticket is approved, you can query the data of the sensitive field on the SQLConsole tab.