Data security permissions list - Dataphin - Alibaba Cloud Documentation Center

This topic outlines the permissions associated with the asset security module.

Symbol explanation

Y signifies that the role possesses the specified feature permission, while N indicates the absence of this feature permission for the role.

Super administrator and Security administrator hold the most extensive permissions within the security module, enabling the configuration of sensitive data detection and protection policies for comprehensive data security.
Project Administrator is authorized to adjust the detection of sensitive data within their assigned projects in the security module, ensuring targeted detection and safeguarding of project-specific data.

Custom global roles with Classification Result - Management permissions are empowered to add and manage all detection results.
Project Administrators are granted the ability to manage detection results for tables within their respective projects.
Table owners can manage the detection results of the table fields they are responsible for.

Permission point	Super administrator	System administrator	Security administrator	Project administrator	Table owner	Ordinary member
Add detection results (manual addition & Excel upload)	Y	N	Y	Y	Y	N
Edit & delete detection results	Y	N	Y	Y	Y	N
Lock/Unlock data classification	Y	N	Y	Y	Y	N
View detection result details	Y	Y	Y	Y	Y	Y

Custom global roles with Classification Rule - Management permissions are authorized to create and manage detection rules.

Permission point	Super administrator	System administrator	Security administrator	Ordinary member
Create detection rule	Y	N	Y	N
Manual rule scan	Y	N	Y	N
Detection rule execution configuration	Y	N	Y	N
Detection rule automatic inheritance configuration	Y	N	Y	N
Modify automatic detection effective status	Y	N	Y	N
Edit & delete detection rules	Y	N	Y	N
Reset & change owner & test detection rules	Y	N	Y	N
View detection rule details	Y	Y	Y	Y
View detection rule scan scope	Y	Y	Y	Y

Custom global roles with Detection Execution Record - Management permissions are enabled to manage detection execution records.

Permission point	Super administrator	System administrator	Security administrator	Ordinary member
Execute & stop detection tasks	Y	N	Y	N
View detection task execution record details	Y	Y	Y	Y

Administrators of level 1 category directories are authorized to create and manage desensitization rules and whitelists for the data classifications they oversee.
Custom global roles with Desensitization Rule - Management permissions are empowered to create and manage desensitization rules and whitelists.

Permission point	Super administrator	System administrator	Security administrator	Administrator of level 1 category directories	Ordinary member
Default desensitization policy	Y	N	Y	N	N
Dynamic desensitization rules
Create dynamic desensitization rules	Y	N	Y	Y	N
Edit & delete dynamic desensitization rules	Y	N	Y	Y	N
Change owner	Y	N	Y	Y	N
Modify dynamic desensitization rule effective dynamics	Y	N	Y	Y	N
View dynamic desensitization algorithm & desensitization whitelist & desensitization rule list	Y	Y	Y	Y	Y
Dynamic desensitization whitelist
Create & clone dynamic desensitization whitelist	Y	N	Y	Y	N
Edit & delete dynamic desensitization whitelist	Y	N	Y	Y	N
Modify dynamic desensitization whitelist effective dynamics	Y	N	Y	Y	N
View dynamic desensitization whitelist list	Y	Y	Y	Y	Y

When a key is designated to be managed solely by its owner, the super administrator is limited to executing management actions (view, grant, revoke, edit, etc.) without performing approvals. The key owner is entitled to perform actions such as editing, granting, and changing ownership of ordinary keys. If this restriction is disabled, both security administrators and key owners are authorized to perform actions such as viewing, granting, revoking, editing, and deleting ordinary keys.
Custom global roles with Key Management - Register Key permissions are authorized to register keys. Custom global roles with Key Management - Management permissions are enabled to manage keys.

Permission point	Super administrator	System administrator	Security administrator	Ordinary member
Register key	Y	Y	Y	Y
Edit & delete key	Y	N	Y (when "only owner can manage" is not enabled)	N
Change owner of key	Y	N	Y	N
Grant & revoke key permissions	Y	N	Y	N
View key value	Y	N	Y	N
View key list	Y	Y	Y	Y
View key reference records	Y	Y	Y	Y

Administrators of the level 1 directory associated with a classification can view its details. Access for other roles to view these details is contingent upon the permission settings of the relevant level 1 directory.
Administrators of level 1 category directories have the authority to manage all data classifications within their assigned directory and its subdirectories.
Custom global roles with Data Class - Management permissions are authorized to create and manage data classifications.

Permission point	Super administrator	System administrator	Security administrator	Ordinary member
Create data classification	Y	N	Y	N
Edit & delete data classification	Y	N	Y	N
Modify data classification effective status	Y	N	Y	N
Move data classification to a new directory	Y	N	Y	N
Set desensitization	Y	N	Y	N
Specify data sensitivity level	Y	N	Y	N
View data classification details	Y	N	Y	N

Custom global roles with Data Sensitivity Level - Management permissions are empowered to create and manage data sensitivity levels.

Permission point	Super administrator	System administrator	Security administrator	Ordinary member
Create data sensitivity level	Y	N	Y	N
Edit & delete data sensitivity level	Y	N	Y	N
View data sensitivity level list	Y	Y	Y	Y

Custom global roles with Feature - Management permissions are authorized to create and manage detection features.

Permission point	Super administrator	System administrator	Security administrator	Data standard administrator	Ordinary member
Create & clone detection features	Y	N	Y	Y	N
Edit & delete detection features	Y	N	Y	Y	N
View detection feature details	Y	Y	Y	Y	Y

Custom global roles with Security Algorithm - Management permissions are enabled to manage security algorithms.

Permission point	Super administrator	System administrator	Security administrator	Ordinary member
Test desensitization algorithm	Y	N	Y	N
View desensitization algorithm	Y	Y	Y	Y

Custom global roles with Project Security Policy - Management permissions are authorized to manage project security policies.

Permission point	Super administrator	System administrator	Security administrator	Ordinary member
Edit project security policy	Y	N	Y	N
View project security policy details	Y	Y	Y	N
View project security policy	Y	Y	Y	Y