If a database contains sensitive data, you can enable the sensitive data protection feature for the database. This way, Data Management (DMS) can scan the database, and detect, mask, and manage the sensitive data. This topic describes how to enable the sensitive data protection feature and how to create a scan task for an instance.
Prerequisites
- You are a DMS administrator, a database administrator (DBA), or a security administrator. Note To view the role of your account, move the pointer over the icon in the upper-right corner of the DMS console.
- The database is supported by the sensitive data protection feature. The following types of databases are supported:
- Relational databases: MySQL, SQL Server, PostgreSQL, MariaDB, Oracle, Dameng (DM), PolarDB for PostgreSQL(Compatible with Oracle), PolarDB for Xscale, OceanBase, Db2, Lindorm CQL, Lindorm SQL, and OpenGauss.
- Data warehouses: AnalyticDB for MySQL, AnalyticDB for PostgreSQL, Data Lake Analytics (DLA), ClickHouse, MaxCompute, Hologres, and Hive.
- The quota on the number of instances for which sensitive data protection can be enabled is purchased and not used up. Note To view the number of available instances for which sensitive data protection can be enabled, move the pointer over the icon and select.
Procedure
- Log on to the DMS console V5.0.
- In the top navigation bar, choose .
- On the Sensitive Data Assets tab, click the Not opened tab in the Instance List section.
- Find the instance for which you want to enable the sensitive data protection feature and click Enable Now in the Operation column. Note Only instances for which the sensitive data protection feature is disabled appear on this tab.
- In the Enable Sensitive Data Protection dialog box, configure the parameters as required. The following table describes the parameters.
Parameter Required Description Configure Scan Task No By default, Configure Scan Task is turned on. If Configure Scan Task is turned on, all databases in the instance are scanned. Select a scan template Yes Select a scan template or create a new template. For more information about how to create a template, see Create a classification and grading template. Scan Method No Note If you turn on Configure Scan Task, you must select a scan method.- If you select Immediate Task (Task Immediately Run Only Once), DMS immediately scans the specified database and marks sensitive data after the task is configured.
- If you select Scheduled Task (Task Run at Specified Time Only Once), you must select a date and time. DMS automatically scans the specified database and marks sensitive data as scheduled.
- If you select Periodic Task, you must configure the scheduling cycle and specific point in time. DMS automatically scans the specified database and marks sensitive data on a regular basis.
- Click OK.
- Grant access to the instance. After you grant access to an instance, sensitive data in the instance can be automatically detected. You must grant access to an instance before you configure a scan task for the instance. Note If the instance is managed in Security Collaboration mode, the system automatically grants access to the instance. In this case, skip this step.
- On the Enabled tab in the Instance List section, find the instance to which you want to grant access and click Account Authorization in the Operation column.
- In the Account Authorization dialog box, enter the database account and database password of the destination instance.
- Click OK.
- Configure and run a scan task if you have not configured a scan task when you enable the sensitive data protection feature. Note When DMS runs a scan task for an instance, DMS scans the metadata of the specified database and randomly scans 100 to 200 data entries in the database. The data is used only for sensitive data analysis in the scan task and is not saved for other purposes.