DataWorks Security Center gives you fine-grained control over who can access your data, what they can do with it, and when access is revoked. It covers the full data lifecycle—from identity authentication and permission management to sensitive data protection, real-time risk blocking, and compliance auditing—resolving permission chaos, preventing data leaks, and meeting regulatory requirements without slowing down data operations.
Security Center is built around five governance pillars:
Multi-dimensional data isolation: Precisely isolates data across tenants and workspaces by combining workspace member and data permission policies, preventing cross-boundary data breaches.
Fine-grained access control: Combines tenant and workspace roles dynamically, with permission granularity down to the database, table, and column levels. A permission request system with automatic revocation keeps permissions aligned with responsibilities in real time.
Proactive protection for high-value data: Automatically identifies high-value data, such as private or confidential information, using a classification and categorization rule library, then applies static masking (watermarking, encryption) and dynamic masking policies to protect data throughout its lifecycle.
Real-time intelligent risk defense: Continuously monitors high-risk operations such as abnormal downloads or unauthorized sharing using user behavior analysis (UBA) and a custom rules engine. When a risk rule triggers, the system instantly blocks the operation or routes it through an approval process—shifting from reactive response to proactive defense.
The five core governance pillars
Authentication
Unified identity access: Integrates with Alibaba Cloud accounts and enterprise account systems, including Alibaba Cloud accounts, RAM users, and RAM roles. Supports Alibaba Cloud single sign-on (SSO) and the SCIM protocol to connect with enterprise identity providers (IdPs), such as self-built or third-party IdPs, enabling single sign-on and unified identity management.
Secure identity foundation: Ensures all operations are performed by verified identities, eliminating the risk of unauthenticated access.
Authorization
Defines roles and access policies to enforce the principle of least privilege.
Two-layer role system: Combines tenant roles (global policies) and workspace roles (workspace-level policies). Includes more than 10 preset roles—workspace administrator, developer, operator, and data analyst—plus custom roles for complex organizational structures.
Least privilege management: Provides permission granularity down to the database, table, and column levels. You can map role permissions to specific data resources—for example, grant a user query access to only the UserID column in the Orders table. The entire permission lifecycle—from request and approval to granting and automatic revocation on expiration—is managed in one place, ensuring permissions are tightly linked to workspaces.
Access control
Implements real-time data access protection and workspace-level isolation.
Workspace isolation: Users can only access workspaces they are authorized for. All data operations are restricted by the role permissions attached to each workspace, preventing unauthorized cross-workspace access at the architectural layer.
Real-time protection against high-risk behavior: Monitors sensitive operations such as data queries, downloads, and sharing. Define custom risk rules—for example, trigger an alert when a single export exceeds a size limit or when a user repeatedly accesses sensitive tables. When a rule triggers, the operation is automatically blocked or sent for mandatory approval.
Auditing
Full audit trail: Records all data operations, including queries and exports. Supports analysis of sensitive data access and lets you export audit data to meet compliance requirements.
End-to-end permission auditing: Tracks the full lifecycle of permission requests, approvals, and revocations. Custom risk behavior rules identify abnormal operations accurately.
Asset protection
Intelligent identification of sensitive data: Uses a classification and categorization rule library—combining column-level and content-level identification with AI models—to automatically scan data, assign security levels (such as highly sensitive or moderately sensitive), and build a data asset inventory.
Dynamic masking protection: Applies seven masking rule types in static scenarios (for example, masking phone numbers). In dynamic scenarios, performs real-time masking based on access context and business rules, so data is always presented in a secure form during queries and analysis.
Proactive risk alerts: Sends real-time alerts via email or Webhook for risky behaviors such as raw data access or high-frequency operations, enabling pre-event prevention, in-event blocking, and post-event traceability.
Core value: make data security perceivable, manageable, and trustworthy
DataWorks Security Center uses a three-in-one framework of technology, process, and policy controls to cover the entire data lifecycle, from creation to destruction:
Resolves core pain points: Eliminates permission chaos, sensitive data leaks, and uncontrolled high-risk operations.
Improves security resilience: Embeds security into daily data operations through dynamic permission management, real-time risk blocking, and intelligent audit closure.
Empowers business growth: Accelerates data openness and application while maintaining security, turning enterprise data assets into trusted productivity.