DataWorks data masking protects sensitive data across its full lifecycle — from ETL pipelines to ad-hoc queries — without interrupting business operations. It supports three masking approaches: static data masking, dynamic data masking, and engine-level masking.
Choose a masking approach
| Approach | How it works | Best used for |
|---|---|---|
| Static data masking | Permanently replaces sensitive data when written to a destination. The raw data is removed. | Syncing production data to development or test environments |
| Dynamic data masking | Masks sensitive data at query time based on who is accessing it. The raw data stays unchanged. | Controlling data visibility for different roles in a shared production environment |
| Engine-level masking | Enforced directly at the database engine layer (MaxCompute or Hologres). Takes effect regardless of the access tool used. | Highest-priority masking that must hold even outside DataWorks |
How they relate: Static and dynamic masking are both configured through DataWorks Security Center. Engine-level masking is an extension of dynamic masking — the configuration process is the same, but enforcement happens at the engine rather than the application layer.
Limitations
Edition: DataWorks Professional Edition or Enterprise Edition only. You must also enable the new data security features in Security Center.
Regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), China (Ulanqab), China (Shenzhen), China (Chengdu), China (Hong Kong), and Japan (Tokyo).
Compute engines: MaxCompute and Hologres.
Prerequisites
Before you begin, make sure that:
Your Alibaba Cloud account or RAM user meets one of the following conditions:
Attached with the AliyunDataWorksFullAccess policy
Assigned the tenant security administrator role in DataWorks
Assigned the tenant administrator role in DataWorks
You have completed the steps in the New user guide
Open the data masking page
Log on to the DataWorks console. In the top navigation bar, select the target region.
In the left-side navigation pane, choose Data Governance > Security Center, then click Go to Security Center.
In the left-side navigation pane, choose Sensitive Data Protection > Data desensitization.
Configure dynamic data masking
Dynamic masking requires two things: a masking rule (what to do to the data) and a masking policy (who triggers that rule and under what conditions).
DataWorks industry templates include predefined masking rules for common data types. To create a custom masking rule for a data type, first disable the corresponding rule for that type in the industry template.
Add a masking rule
On the Data desensitization page, click the Dynamic desensitization tab, then click Rules.
Click New Rule and configure the following fields:
Field Description Data type The sensitive data type to apply the rule to, such as phone number or email address Desensitization mode The masking algorithm to apply when a user accesses this data type. Enter a value in Raw Data to preview the result in Data after desensitization Apply to desensitization strategy The scope of this rule — by user, feature, or data Click Confirm to save the rule.
Add a masking policy
A masking policy defines the conditions under which a rule is triggered.
On the Dynamic desensitization tab, click Desensitization strategy, then click New Policy.
Configure the Effective Conditions:
Field Description Policy name A name for the masking policy User scope Apply to all users or specific users DataWorks function The DataWorks features through which the policy takes effect: Data Map, DataAnalysis, or Data Studio Covered items The projects or databases where the rule applies Data type The sensitive data types that trigger this rule. The masking rule for each listed data type must be configured and enabled Configure the Exception conditions (whitelist) — these define who is exempt from masking:
Field Description Data type Data types exempt from masking. The masking rule for each listed type must be configured and enabled Whitelisted users RAM users or user groups who see unmasked data Effective time range Set to a specific Time period or Permanent Click Confirm to save the policy.
(Optional) Adjust policy priority: In the Operation column, click More and select Move Up or Move Down to change the order in which policies are evaluated.
For a workspace with enabled masking rules, DataWorks evaluates policies in order and applies the first matching policy.
Enable dynamic masking for a workspace
Dynamic masking only takes effect after it is enabled for specific workspaces. After enabling, policies apply to Data Development and DataAnalysis.
On the Dynamic desensitization tab, click Workspace Management.
Enable masking:
To enable or disable a single workspace, toggle its Status.
To enable or disable multiple workspaces at once, select them and click Batch Enable or Batch Disable in the lower-left corner.
Verify dynamic masking
After enabling masking for a workspace, verify that your configuration works as expected.
Log in with a user account that falls within the User scope of a masking policy.
Access sensitive data through one of the configured DataWorks features (Data Map, DataAnalysis, or Data Studio).
Confirm that the sensitive fields show masked values (for example, a phone number appears as
138****1234instead of the full number).Log in with a whitelisted user account and confirm that the same fields show unmasked values.
Configure static data masking
Static masking applies to real-time sync tasks in DataWorks Data Integration only. It is enabled by default and permanently replaces sensitive data at the point of sync. You can disable it if necessary.
On the Data desensitization page, click the Static desensitization tab.
Click New Rule and configure the following fields:
Field Description Data type The data type to apply the rule to, such as Bank Card Number. Select an existing type or add a new one Desensitization rule name A descriptive name for the rule Desensitization mode The masking algorithm: Masking (define which character positions to mask or preserve), Hashing (set a salt value for added security), or Custom Format-preserving Transformation (set a masking value and character set for replacement) Data watermark When enabled, embeds an invisible digital watermark in the masked data. If a data leak occurs, the watermark helps trace the source. See Data traceability Enabled Select Enable Now to activate the rule immediately, or Not Enabled to save it without activating Effect verification Enter sample data in Raw Data, click Verify now, and confirm that Data after desensitization matches expectations Click Confirm to save the rule.
Only enabled rules take effect in sync tasks. To disable a rule later, return to this page and change its status.
Engine-level masking
Engine-level masking is available for MaxCompute and Hologres. Configuration follows the same process as dynamic data masking — create a masking rule, create a masking policy, and enable the feature for a workspace. Note that the supported masking algorithms are different from those for dynamic data masking. The key difference is enforcement: engine-level masking takes effect at the database engine layer, so it applies regardless of which tool is used to access the data (not just DataWorks features). It also has the highest priority among all masking types.
For configuration steps, see Configure dynamic data masking.
What's next
Data traceability — Learn how digital watermarks help trace the source of sensitive data leaks.