DataWorks protects sensitive data through two complementary masking approaches: dynamic masking, which hides sensitive values in real time when users query data, and static masking, which transforms data before it is stored. Both approaches are organized into a fixed set of level-1 scenarios (predefined by DataWorks) and configurable level-2 scenarios (created and managed by administrators).
Level-1 scenarios cannot be added, edited, or deleted. For each level-1 scenario, DataWorks provides a default level-2 scenario that you can edit or use as a starting point for new ones.
Choose a masking scenario
Use the following table to identify which level-1 scenario fits your use case.
| Level-1 scenario | Masking type | Covered engines | Best used for |
|---|---|---|---|
| Data development / Data map display desensitization | Dynamic | MaxCompute, EMR | Masking data queried in DataStudio, Data Map, and the SQL Query feature in DataAnalysis |
| Data analysis and display desensitization | Dynamic | MaxCompute | Masking data queried through the SQL Notes feature in DataAnalysis |
| Layer masking of the MaxCompute engine | Dynamic | MaxCompute (OPS data engine) | Masking at the engine layer for queries from the command line, odpscmd client, or Logview |
| Hologres layer masking | Dynamic | Hologres | Masking Hologres data queried in DataStudio |
| Static desensitization of data integration | Static | — | Masking offline data before it is stored during data integration |
Scenario details
Level-2 scenario constraints
| Level-1 scenario | Level-2 limit | Level-2 operations |
|---|---|---|
| Data development / Data map display desensitization | 30 | Create, edit, delete |
| Data analysis and display desensitization | — | Varies (see the product UI for details) |
| Layer masking of the MaxCompute engine | — | Varies (see the product UI for details) |
| Hologres layer masking | 1 | Edit only (cannot create new) |
| Static desensitization of data integration | Fixed (system-defined) | Not supported |
Data development / Data map display desensitization
Masks sensitive data that users query in DataStudio and Data Map, and masks results from the SQL Query feature in DataAnalysis. Applies to MaxCompute and EMR engines.
Usage notes:
-
Masking rules take effect only after you enable data masking for the workspace. Exception: EMR engine Data Map masking rules take effect immediately, regardless of the workspace setting.
-
The workspace data masking setting is shared between this scenario and the Data analysis and display desensitization scenario. Changing the setting in one also changes it in the other.
-
Hologres data is not supported in DataStudio and Data Map masking.
Data analysis and display desensitization
Masks sensitive data in results from the SQL Notes feature in DataAnalysis. Applies to the MaxCompute engine only.
Masking rules take effect only after you enable data masking for the workspace. The workspace setting is shared with the Data development / Data map display desensitization scenario.
Layer masking of the MaxCompute engine
Masks data at the presentation layer when users query from the MaxCompute command line, the odpscmd client, or Logview. The underlying data in the storage layer is not changed. Applies to the OPS data engine.
This scenario complements application-layer masking — it does not replace it. To activate engine-layer masking for a field, you must also configure a data masking rule for that field. If no rule is configured, the application-layer masking rules apply.
For a practical walkthrough, see Best practices: Use underlying data masking in MaxCompute.
Hologres layer masking
Masks sensitive data when users query Hologres data in DataStudio. Applies to the Hologres engine. Only one level-2 scenario is supported, and you can only edit the default one — creating new level-2 scenarios is not supported.
Pseudonym-based data masking and whitelists are not supported for this scenario. If you configure pseudonym-based masking, sensitive data is masked as ***.
Static desensitization of data integration
Masks offline data during data integration. Sensitive data is identified and transformed based on the configured rules before it is stored, and the masked result is written to the specified database location. Level-2 scenario configuration is not supported for this scenario.
Access control
| Role | Add / edit / delete scenarios | View scenarios | Data scope |
|---|---|---|---|
| Tenant administrator | Yes | Yes | All workspaces in the tenant |
| Tenant security administrator | Yes | Yes | All workspaces in the tenant |
| Workspace administrator | Yes | Yes | Workspaces with granted permissions only |
| Workspace security administrator | Yes | Yes | Workspaces with granted permissions only |
| All other roles | No | No | — |
For instructions on granting these roles, see Manage permissions on workspace-level modules and Manage permissions on global-level modules.
Create a masking scenario
Prerequisites
Before you begin, ensure that you have one of the roles listed in Access control with permission to add scenarios.
Navigate to Data Masking Management
-
Log on to the DataWorks console. In the top navigation bar, select the target region. In the left-side navigation pane, choose Data Development and O&M > Data Development. Select the target workspace and click Go to Data Development.
-
Click the
icon in the upper-left corner, then choose All Products > Data Governance > Data Security Guard. On the page that appears, click Try Now.NoteIf your account already has the required permissions, you are taken directly to the Data Security Guard homepage. If not, you are redirected to the authorization page first.
-
In the left navigation pane, click Rule Configuration > Data Masking Management.
-
In the Masking Scene section on the left, click Create Scenario.
Configure the scenario
In the New Data Masking Scenario dialog box, configure the following parameters:
-
Select a primary scenario and name the secondary scenario. Choose a level-1 scenario from the list, then enter a name for the new level-2 scenario. The name can contain any characters and must be 1–30 characters long.
-
Select a data scope. Choose the workspaces to which the scenario applies. The masking rules take effect only for data in the selected workspaces.
-
(Optional) Select a user group scope. To restrict the scenario to specific users, select a user group. If left blank, the scenario applies to all users in the current tenant. For details on setting up user groups, see Configure a user group.
-
Click Confirm.
What's next
After creating a masking scenario, configure the data masking rules that determine how sensitive data is transformed. See Create a data masking rule.