Data Security Guard's system settings let you control four platform-wide behaviors: how long data watermark files are retained, whether MaxCompute classification results appear as security-level labels in Data Map, which email or webhook addresses receive alerts when sensitive data is detected, and whether the platform re-evaluates unclassified data in real time before displaying it.
Prerequisites
Before you begin, make sure you have:
-
An Alibaba Cloud account with the required permissions for Data Security Guard. Without the required permissions, you'll be redirected to the authorization page and can't access the settings described here.
Go to the System configuration page
-
Log on to the DataWorks console. In the top navigation bar, select the desired region.
-
In the left-side navigation pane, choose Data Development and O&M > Data Development. Select the desired workspace from the drop-down list, then click Go to Data Development.
-
Click the
icon in the upper-left corner. Choose All Products > Data Governance > Data Security Guard, then click Try Now. -
In the left-side navigation pane, click System Configuration.
The System Configuration page has four tabs:
| Tab | What you configure |
|---|---|
| Watermark-based Tracing | Retention period for data watermark files |
| Tagging Configuration | Whether MaxCompute classification results appear as security-level labels in Data Map |
| Alert Settings | Email and webhook addresses for alert notifications |
| Desensitization Settings | Whether unclassified data is re-evaluated in real time before display |
Watermark-based tracing
On the System Configuration > Watermark-based Tracing tab, set the retention period for data watermark files to one, two, or three years.
The retention period determines how far back the platform can trace when a data breach occurs. For example, with a two-year retention period, Data Security Guard can extract watermark information from a leaked file and trace operations from the past two years to identify who may have leaked the data.
For more information about how watermark-based tracing works, see Data traceability.
Tagging configuration
On the System Configuration > Tagging Configuration tab, enable or disable automatic sensitivity labeling for MaxCompute data.
When enabled, Data Security Guard reads the classification results from MaxCompute and adds each column's classification level as a sensitivity level label. This label appears in the Field Information > Security Level column on the table details page in DataWorks Data Map. For more information, see View table details.
Before enabling, note the following:
-
If you enable labeling but can't see column-level security levels in Data Map, confirm that the column-level access control switch is on. For details, see Label-based access control.
-
After enabling, the column classification results in the MaxCompute project affect access control. Confirm each field's level on the View and manually correct sensitive data detection results page. If the access permission level label configured in MaxCompute is lower than a field's security level, access to that field is blocked. To set access permission level labels, see Label-based access control.
Alert settings
On the System Configuration > Alert Settings tab, set the destinations for alert notifications. When sensitive data is detected, the platform sends an alert to notify the relevant personnel to assess and handle the risk.
Two destination types are supported:
Email recipient address
Configure the mailbox to receive alert notifications. When a data risk is detected, the platform sends an alert to this address. To add a new alert contact, see View and set alert contacts.
Webhook recipient address
Configure a webhook URL to push alerts to a group chat. Supported platforms:
-
DingTalk groups
-
WeCom
-
Lark
Pushing alerts to WeCom or Lark requires DataWorks Enterprise Edition.
Desensitization settings
On the System Configuration > Desensitization Settings tab, enable or disable real-time detection of sensitive data.
This setting only takes effect if you have already configured both sensitive data detection rules and data masking rules. Without both configured, the platform has no rules to apply regardless of this setting.
The following table shows how each option affects platform behavior when you query or display data:
| Setting | Behavior |
|---|---|
| Real-time detection enabled (default) | The platform checks whether the data is sensitive based on existing detection results. If sensitive, the data is masked before display. If not yet classified, the platform starts a real-time detection task to re-evaluate it — if the re-evaluation identifies the data as sensitive, it is masked immediately. |
| Real-time detection disabled | Only data already identified as sensitive is masked. Unclassified data is displayed without masking, even if it would be identified as sensitive upon re-evaluation. |
Real-time detection is enabled by default to catch sensitive data in new entries that haven't been classified yet.
What's next
-
Data traceability — learn how watermark information is extracted from leaked files
-
View and set alert contacts — manage who receives alert notifications
-
View and manually correct sensitive data detection results — confirm field classification levels after enabling tagging