All Products
Search

This Product

    DataWorks:Configure system settings

    Document Center

    DataWorks:Configure system settings

    Last Updated:Mar 06, 2024

    On the System Config page of Data Security Guard, you can enable or disable content-based sensitive data identification, and specify the identification scope. You can also specify the retention period of watermarked files, whether to show the security level of identified data, and the email address and webhook URL for receiving alert notifications. This helps detect and handle potential security risks at the earliest opportunity.

    Go to the System Config page

    1. Go to the DataStudio page.

      Log on to the DataWorks console. In the left-side navigation pane, choose Data Modeling and Development > DataStudio. On the page that appears, select the desired workspace from the drop-down list and click Go to DataStudio.

    2. Click the 图标 icon in the upper-left corner, choose All Products > Data Governance > Data Security Guard, and then click Try now to go to the Data Security Guard page.

      Note

      • If your Alibaba Cloud account is granted the required permissions, you can directly access the homepage of Data Security Guard.

      • If your Alibaba Cloud account is not granted the required permissions, you are redirected to the authorization page of Data Security Guard. You can use the features of Data Security Guard only after your Alibaba Cloud account is granted the required permissions.

    3. In the left-side navigation pane, click System Config.

      On the page that appears, you can enable or disable content-based sensitive data identification, and specify the identification scope. You can also specify the retention period of watermarked files, whether to show the security level of identified data, and the email address and webhook URL for receiving alert notifications in Data Security Guard.

    Configure a sensitive data identification and processing policy

    Identify configuration tab

    On the Identify configuration tab of the System Config page, enable or disable content-based sensitive data identification and specify the identification scope.

    image

    The following table describes the parameters.

    Section

    Parameter

    Description

    Basic configuration

    Identify account

    The account that determines the data scope of risk identification management.

    • If you set the Identify account parameter to Main account, data risks for data in the workspaces on which an Alibaba Cloud account has permissions can be identified.

    • If you set the Identify account parameter to Sub-account, data risks for data in the workspaces on which a RAM user has permissions can be identified.

    Content recognition

    Specifies whether Data Security Guard samples and scans table data in databases.

    If you disable Content recognition, the rules for identifying sensitive data based on data content do not take effect, but the rules for identifying sensitive data based on field names and field comments still take effect.

    Identification range

    Compute engine type:

    • MaxCompute

    • Hologres

    • E-MapReduce

    Specifies whether each type of compute engine automatically identifies the sensitive data of a task on a daily basis.

    • If your data schema is not frequently updated, you do not need to enable automatic identification of sensitive data on a daily basis. If you want to identify the sensitive data of a task, you can manually trigger identification of sensitive data on the Sensitive data identification page. For more information, see Configure sensitive data identification rules.

    • If you disable automatic identification of sensitive data on a daily basis, the system does not automatically identify sensitive data or update identification results on a daily basis. In this case, the system retains the most recent identification results.

    By default, the sensitive data identification scope covers data risks for data in all workspaces on which an Alibaba Cloud account or a RAM user has permissions. Identification scope:

    • You can specify whether to include external tables.

    • You can add the workspaces for which you want to identify data risks to a whitelist.

    • You can add the workspaces for which you do not want to identify data risks to a blacklist.

    Note

    If you add multiple workspaces, separate the workspace names with commas (,).

    Watermark traceability tab

    On the Watermark traceability tab of the System Config page, specify the retention period of watermarked files. You can set the Watermark traceability time parameter to One year, Two years, or Three years. For example, if you set the Watermark traceability time parameter to Two years, you can trace risky operations that are performed on data in the recent two years when a data leak occurs.

    Marking configuration tab

    On the Marking configuration tab of the System Config page, specify whether to enable sensitivity level labeling for data in MaxCompute.

    If you enable labeling, the columns of a MaxCompute table are labeled by sensitivity level. On the Field Information subtab of the Details tab for the table in Data Map, you can view the sensitivity levels of the columns. For more information, see View the details of a table.

    Note

    • If you enable labeling but no sensitivity levels for the columns of a MaxCompute table are displayed in Data Map, you can check whether the column-level access control feature is enabled in the MaxCompute console. For information about how to enable the column-level access control feature, see Label-based access control.

    • After you enable labeling, the sensitivity levels of the columns of a MaxCompute table affect your permissions on the table columns. You can check the sensitivity level of each column on the Manual Check tab of the Sensitive data identification page in the DataWorks console. If the access level that is configured for your account in MaxCompute is lower than the sensitivity level of a column, you cannot access the column. For more information about how to configure access-level labels for users, see Label-based access control.

    Alarm settings tab

    On the Alarm settings tab of the System Config page, specify the email address or webhook URL for receiving alert notifications. After sensitive data is identified, alert notifications are sent to inform relevant personnel to assess and handle risks at the earliest opportunity.

    • Email address for receiving alert notifications

      Configure the email address for receiving alert notifications. When data risks are identified, the system sends an alert notification to the email address. For more information about how to add alert contacts, see Configure and view alert contacts.

    • Webhook URL for receiving alert notifications

      DataWorks supports the webhook URLs of DingTalk, WeCom, and Lark. When data risks are identified, the system sends an alert notification to the specified group based on your configurations.

      Note

      Only DataWorks Enterprise Edition or a more advanced edition allows users to use WeCom or Lark to receive an alert notification.