All Products
Search

This Product

    Dataphin:Create and manage data classification

    Document Center

    Dataphin:Create and manage data classification

    Last Updated:Mar 05, 2025

    Data classification is essential for defining the business properties of data within the security realm, allowing for multi-level classification tagging that aligns with industry standards. This topic describes the process for creating and managing data classification.

    Permission description

    • Security administrators and global custom roles with Data Class-Management permissions can create and manage data classification folders and classifications.

    • Administrators of level 1 classification folders can manage these folders and all contained data classifications within their subdirectories.

    • Ordinary members can view all data classifications but are limited to viewing details of classifications that are public.

    Usage description

    Data classification folders are limited to a maximum of 10 levels.

    Manage data classification folders

    1. On the Dataphin home page, navigate to the top menu bar and select Administration > Data Security.

    2. In the left-side navigation pane, select General Configuration > Data Class. On the Data Class page, click the Data Class tab.

    3. On the data classification tab, you can view classification folders and information. The left-side classification folder manages classifications from a business or organizational perspective. Selecting a level directory displays the classification information for that directory and its subdirectories on the right-side list. You can also click All Classifications to view all classification information.

      • Priority: Influences the arbitration logic of field detection results. When multiple detection records exist for a field, the final result is determined by considering classification priority, update time of the detection record, and classification modification time.

      • Number of Effective Fields: Reflects the total number of fields with detection results matching the current classification.

    4. (Optional) Perform a fuzzy search for data classification folders by name in the classification folder list, conduct a quick search for data classification by keyword in the classification list, or filter classifications based on their effective status as Effective, Ineffective, or Data Sensitivity Level.

    5. The following operations can be performed on data classification folders and classifications.

      Operation item

      Description

      Classification folder

      Add Classification Folder

      Click the Add Classification Folder on the right side of the directory row to create a subdirectory under the current directory.

      • Parent Directory: By default, the current located data classification folder is filled. Selecting a forward slash (/) means no parent directory, directly creating a level 1 directory, and supports modification.

      • Directory Name: Enter the name of the directory. Forward slashes (/) are not supported and the name cannot exceed 128 characters.

      • Batch Add Directories: You can click the +continue Adding button to batch create directories at the same level.

      Import Classification From Template Library

      Click the Import Classification from Template Library icon on the right side of the directory row or hover over the drop-down arrow after the new classification button and click Import Classification from Template Library to import classification templates under the current directory. Specially, if located in the All Lookup Tables directory, the imported classification templates are directly attributed to all classification folders. For configuration details, see Import Data Classification from Template Library.

      Edit

      Click the more icon on the right side of the directory row and select Edit. Level 1 directories support setting administrators and classification detail viewing permissions, while subdirectories support modifying directory names.

      • Directory Name: By default, the current located directory name is filled. It supports modification but does not support using slashes (/). The name can be up to 128 characters.

      • Administrator: Administrators of level 1 directories can select up to 5 administrators.

        Note

        Administrators can manage the current directory and its subdirectories, along with the data classification belonging to the directory.

      • Classification Details: Supports public and administrator-only viewing.

        • Public: All users can view the classification details of data classifications under this directory.

        • Administrator-only Viewing: Global custom roles with Data Class-Management permissions and administrators of the level 1 directory to which the data classification belongs can view classification details.

      Shift

      Click the More icon on the right side of the folder row, select Shift to move the current folder to another classification folder. If you need to set it as a top-level folder, please select the forward slash (/) as the Parent Directory.

      • If the current directory is a level 1 directory and is moved to a subdirectory, it must follow the new level 1 directory management and viewing permissions settings. Existing permission settings will be purged.

      • If the current directory is a subdirectory and is moved to a level 1 directory, administrators and classification detail viewing permissions must be set.

      Delete

      Click the More icon on the right side of the folder row, select Delete. This will simultaneously delete the currently selected classification folder and its subdirectories, along with all contained data classifications. It will also delete the reference relationships of the detection rules, detection results, desensitization rules, and desensitization whitelist corresponding to the data classification. Please proceed with caution.

      Data classification

      Modify Effective Status

      Click the switch under the effective status column or click the Enable/Disable icon at the bottom to modify the effective status of the classification. Only classifications with an effective status can be used as detection results.

      • Enable data classification: After enabling, you can select this data classification when creating new detection rules, detection results, desensitization rules, and desensitization whitelists. Additionally, the associated automatic detection nodes, detection results, desensitization rules, and desensitization whitelists will re-enable this data classification.

      • Disable data classification: After shutdown, the associated automatic detection nodes, detection results, desensitization rules, and desensitization whitelist will ignore this data classification and will not continue to generate new detection records. For the detection records that have already been generated, you can choose to retain or delete them.

        • Retain: Choose the retain policy. The generated detection results will not be purged and will be marked as Disabled. When subsequent detection rules perform scans, the generated detection records of the data classification will still participate in the arbitration of detection results. When the classification status corresponding to the final effective detection result of the field isDisabled, desensitization will not be effective.

        • Sync Delete: Sync delete allgenerated detection records of the currentclassification and re-arbitrate new detection results.

      View Details

      Click the view icon under the Actions column to view data classification information with viewing permissions, including basic information, classification information, and scan methods.

      Edit

      Click the edit icon under the Actions column to modify the information of the data classification.

      Move To New Directory

      Click the move to new directory icon under the Actions column or in the batch operation area at the bottom to move the data classification to the specified classification folder. If the classification does not have a specified folder, you can select a forward slash (/); subsequent queries can be made through All Classifications located on the left side.

      Set Desensitization

      Click the more icon under the Actions column and select Set Desensitization to set desensitization rules for the data classification. For configuration details, see Create and Manage Dynamic Desensitization Rules.

      Delete

      Click the delete icon under the Actions column or at the bottom to delete the data classification. This will delete the associated detection rule reference relationships, detection results, detection records, desensitization rules, and desensitization whitelists. Please operate cautiously.

      Specify data classification level

      Click the specify data classification level icon at the bottom to batch specify data classification levels for data classifications.

    Create data classification

    1. On the Data Class page, click the Data Class tab and then click the Create Classification button.

    2. In the Create Classification dialog box, configure the necessary parameters.

      Parameter

      Description

      Basic information

      Classification Name

      Enter the name of the data classification. It cannot exceed 512 characters. For example: Name.

      Classification Abbreviation

      You can enter an abbreviation based on the classification name. It cannot exceed 128 characters. For example: N.

      Classification Description

      Enter the description of the classification. It cannot exceed 2048 characters. For example: Use N to represent Name.

      Belonging Folder

      Select the folder to which the data classification belongs.

      Classification level information

      Data Sensitivity Level

      Select the created data classification level. To create one, see Create Data Classification Level.

      Scan methods

      Feature

      Detection features are used to uniformly manage built-in detection expressions, such as phone numbers and ID numbers. To create one, see Add Detection Features.

      Multiple detection features have an "or" relationship and support selecting up to 20.

      Priority

      The priority of data classification ranges from high to low as 1, 2, 3, 4, 5. When the priority is the same, the final effective classification is comprehensively judged based on the details of field detection results (classification priority > update time of detection record > classification modification time).

      Advanced Configuration

      Supports selecting Scan By Content, Scan By Field Name, Scan By Field Description, Scan By Data Type, Scan By Table Name, Scan By Table Chinese Name.

      • Scan By Content: Detect and judge based on sampling and reading the target field data content.

        • Regular (case Compatible): Enter a regular expression in the input box. For example, if you need to match all names containing test, the regular expression is defined as .*test.*, which can match names containing test, Test, TEST, etc., with case compatibility.

        • Regular Expression: Enter a regular expression in the input box. For example, if you need to match all names containing test, the regular expression is defined as .*test.*.

        • Detection Threshold: Only when the content match rate exceeds the detection threshold will the rule be considered effective and enter the comparison of the detection results of the field.

      • Scan By Field Name: Detect and judge based on the field name in the metadata. If the field name match rate is 100%, the rule enters the detection results of the field; otherwise, the rule does not enter the detection results of the field.

        • Regular (case Compatible): Enter a regular expression in the input box. For example, if you need to match all names containing test, the regular expression is defined as .*test.*, which can match names containing test, Test, TEST, etc., with case compatibility.

        • Regular Expression: Enter a regular expression in the input box. For example, if you need to match all names containing test, the regular expression is defined as .*test.*.

        • Include/exclude: Keyword matching, such as matching the user information table, enter user_info.

      • Scan By Field Description: Detect and judge based on the field description in the metadata.

        • Regular (case Compatible): Enter a regular expression in the input box. For example, if you need to match all names containing test, the regular expression is defined as .*test.*, which can match names containing test, Test, TEST, etc., with case compatibility.

        • Regular Expression: Enter a regular expression in the input box. For example, if you need to match all names containing test, the regular expression is defined as .*test.*.

        • Include/exclude: Keyword matching, such as matching the user information table, enter user_info.

      • Scan By Data Type: Detect and judge based on the data type of the field in the metadata. Scan conditions support Belong To, Regular (case Compatible), Regular Expression, Include, Exclude.

        • Belong To: Selectable data types include tinyint, smallint, mediumint, int, bigint, decimal, bit, date, datetime, timestamp, varchar, text, json.

        • Regular (case Compatible): Enter a regular expression in the input box. For example, if you need to match all names containing test, the regular expression is defined as .*test.*, which can match names containing test, Test, TEST, etc., with case compatibility.

        • Regular Expression: Enter a regular expression in the input box. For example, if you need to match all names containing test, the regular expression is defined as .*test.*.

        • Include/exclude: Keyword matching, such as matching the user information table, enter user_info.

      • Scan By Table Name: Detect and judge based on the name of the data table.

        • Regular (case Compatible): Enter a regular expression in the input box. For example, if you need to match all names containing test, the regular expression is defined as .*test.*, which can match names containing test, Test, TEST, etc., with case compatibility.

        • Regular Expression: Enter a regular expression in the input box. For example, if you need to match all names containing test, the regular expression is defined as .*test.*.

        • Include/exclude: Keyword matching, such as matching the user information table, enter user_info.

      • Scan By Table Chinese Name: Detect and judge based on the Chinese name of the data table.

        • Regular (case Compatible): Enter a regular expression in the input box. For example, if you need to match all names containing information, the regular expression is defined as .*information.*.

        • Regular Expression: Enter a regular expression in the input box. For example, if you need to match all names containing information, the regular expression is defined as .*information.*.

        • Include/exclude: Keyword matching, such as matching the user information table, enter information.

      Note

      • At least one rule must be configured. To add a rule, click the +add Rule button.

      • A maximum of 5 rules can be configured, with up to 2 levels of relationships.

      • The relationship between filter conditions can be configured as "and" or "or".

      Note

      Note: If no scan method (detection feature, advanced configuration) is configured, detection rules will not automatically scan and must be manually specified.

    3. Click OK to finalize the creation of the data classification.

    What to do next

    After creating the data classification, you can use it in detection rules. For more information, see Create and Manage Detection Rules.