Sensitive Data Discovery and Protection (SDDP) allows you to customize sensitive data detection rules. You can also view the details of built-in sensitive data detection rules. This topic describes how to create and manage custom rules, view built-in rules, and modify a risk level.

Create a custom rule

SDDP detects sensitive data in objects or tables and generates alerts based on sensitive data detection rules. You can customize sensitive data detection rules based on your business requirements. To create a custom rule, perform the following steps:

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Sensitive Data Identification > Identification Rules.
  3. On the Identification Rules page, click Add Rule.
  4. In the Add Rule dialog box, set the parameters as required.
    Add Rule

    The following table describes the parameters for creating a custom rule.

    Parameter or section Description
    Rule Name The name of the rule.
    Rule Source The source of the rule. The value is Customize and cannot be changed.
    Rule Type The type of the rule. Valid values:
    • Keywords: The rule is defined based on the specified keywords.
    • Regular Expression: The rule is defined based on the specified regular expression.
    Note
    • This parameter is set to Algorithm for built-in rules. If you have not created any custom rules, SDDP detects sensitive data based on algorithm-based built-in rules.
    • The built-in rules that SDDP provides apply to various types of common sensitive data, including mobile numbers and ID card numbers. We recommend that you view built-in rules to check whether the custom rule that you want to create has been covered in built-in rules before you create the custom rule. For more information, see View built-in rules.
    Sensitivity Level The risk level ID of the sensitive data that hits the rule. Valid values:
    • N/A: unknown risk level
    • S1: low risk level
    • S2: medium risk level
    • S3: high risk level
    Rule Classification The type of the sensitive data that hits the rule. Valid values:
    • Personal and sensitive information
    • Device sensitive information
    • Key sensitive information
    • Sensitive picture information
    • Sensitive corporate information
    • Location-sensitive information
    • Universal sensitive information
    Rules The definition of the rule used to detect sensitive data. The definition is in the form of keyword matching or regular expression, which is determined by the Rule Type parameter.
    • If the Rule Type parameter is set to Keywords, you must set the Method parameter and enter the keyword used to detect sensitive data in the Keywords field.

      Assume that you want to create a custom rule to detect the Chinese mobile number 1331234****. You can set the Method parameter to Contains and enter 1331234**** in the Keywords field.

      Note The keyword must be a precise value, for example, a specific mobile number, email address, or ID card number.
    • If the Rule Type parameter is set to Regular Expression, you must enter the regular expression used to detect sensitive data in the Regular Expression field.

      Assume that you want to create a custom rule to detect Chinese mobile numbers. You can enter ^((13[0-9])|(14[5,7])|(15[0-3,5-9])|(17[0,3,5-8])|(18[0-9])|166|198|199|(147))\\d{8}$ in the Regular Expression field.

    Note After a rule is created, the rule appears in the rule list. However, the rule list does not display the rule definition. You can view the rule definition in rule details.
  5. Click Enable, Save, or Cancel.
    • Enable: If you click Enable, the rule is created and enabled. SDDP starts to detect sensitive data based on the rule.
    • Save: If you click Save, the rule is created but not enabled. To enable the rule, you must turn on the switch in the Status column for the rule in the rule list.Switch
    • Cancel: If you click Cancel, the rule is not created.
    Note
    • SDDP detects sensitive data based on all sensitive data detection rules that are enabled.
    • A rule takes effect after it is created and enabled. If you need to temporarily exclude specific data as sensitive data, you can disable the corresponding rule. After you disable a rule, SDDP no longer detects corresponding data as sensitive data. We recommend that you enable all rules to reduce risks.
    • You can modify and delete custom rules. You can view built-in rules but cannot modify or delete them.

View built-in rules

The built-in sensitive data detection rules that SDDP provides apply to various types of common sensitive data, including mobile numbers and ID card numbers. You can view all information about a built-in rule, such as the rule type, name, and risk level, except for the rule definition. To view built-in rules, perform the following steps:

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Sensitive Data Identification > Identification Rules.
  3. On the Identification Rules page, set the Rule Source parameter to Built-in.View built-in rules
  4. View built-in rules in the list that appears.Built-in rules
    The rule list displays the information about each built-in rule, such as the rule name, type, source, and sensitive data type.
    Note If you have not created any custom rules, SDDP detects sensitive data based on algorithm-based built-in rules. You cannot not modify or delete built-in rules.
  5. To view the details of a built-in rule, find the target rule and click Details in the Operation column.
    Note You can view the details of a built-in rule but cannot not modify or delete the rule.
  6. In the Rule Details dialog box, view the details of the rule.Rule details
    You can view the rule name, type, source, sensitive data type, and risk level configured for sensitive data in the corresponding fields. You cannot view the algorithm or regular expression of a built-in rule. The Regular Expression or Algorithm field is empty in the Rule Details dialog box.

Manage custom rules

SDDP allows you to query, view, modify, and delete custom sensitive data detection rules. To manage custom rules, perform the following steps:

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Sensitive Data Identification > Identification Rules.
  3. On the Identification Rules page, set the Rule Source parameter to Customize.
  4. On the Identification Rules page, perform the following operations as required:
    • Query rules
      Use the filters in the upper part of the page to query rules. To query the required rules, set the filters such as the name, type, source, risk level, and status, and click Search.Query rules
    • View the details of a rule

      Find the target rule and click Details in the Operation column. In the Rule Details dialog box, view the details of the rule.

    • Modify a rule

      Find the target rule and click Edit in the Operation column. In the Rule Editing dialog box, modify the rule. For more information about the rule parameters, see Parameter description.

    • Delete a rule
      Find the target rule and click Delete in the Operation column. In the Rule Delete message, click OK.
      Note After you delete a rule, SDDP no longer detects corresponding data as sensitive data. Exercise caution when you delete a rule.

Modify a risk level

SDDP allows you to modify the name and description of a risk level. To modify a risk level, perform the following steps:

  1. Log on to the SDDP console.
  2. In the left-side navigation pane, choose Sensitive Data Identification > Identification Rules.
  3. On the Identification Rules page, click the Level Settings tab.
  4. Find the target risk level and click Edit in the Actions column.
  5. In the Sensitivity Level dialog box, modify the information in the Sensitivity Level and Description fields as required.
    By default, SDDP marks sensitive data with the following risk levels: N/A, S1, S2, and S3. N/A indicates an unknown risk level. The severity of S1, S2, and S3 increases in sequence. You can customize the names and descriptions of the four risk levels to classify the sensitive data detected in your data assets based on your business requirements. SDDP provides the following default descriptions for the S1, S2, and S3 levels:
    • S1: low.
    • S2: medium.
    • S3: high.
  6. Click Confirm.
    The modification takes effect immediately after you submit it. To view the updated level names on the Rule Settings tab, refresh the Identification Rules page.