DataWorks supports various data masking scenarios. You can create data masking rules for the scenarios that you require. This topic describes how to create these rules and run masked queries in DataWorks.
Background information
DataWorks provides two types of data masking: static data masking and dynamic data masking.
-
Dynamic data masking: This includes scenarios such as Data Development and Data Map display masking, DataAnalysis display masking, MaxCompute engine-layer masking, and Hologres engine-layer masking.
-
Static data masking: This refers to the data integration static masking scenario.
By default, data masking rules are disabled after they are created. You must manually enable the rules to automatically mask data in the relevant scenarios.
-
To enable or disable a data masking rule, see Enable or disable a data masking rule.
-
For more information about each data masking scenario, see Data masking scenarios.
Prerequisites
-
(Optional, for dynamic data masking only) You can configure sensitive data detection rules as needed. This lets you associate fields that require masking when you create data masking rules. For more information, see Sensitive data detection rules.
-
(Optional, for dynamic data masking only) You can use a whitelist to allow specific users to bypass data masking rules during a specified period. To do this, add the users to a user group to allow them to view raw data. For more information, see Configure a user group.
-
(Optional, for MaxCompute engine layer masking only) This scenario masks sensitive data when you query data from entry points other than DataWorks, such as the MaxCompute command line client (odpscmd) or Logview. To use this scenario, you must request to add an IP address to the MaxCompute network whitelist. This lets you call the masking functions. For more information, see Example: Use underlying data masking in E-MapReduce.
Access control
-
Configure data masking rules (create, edit, and delete):
-
Tenant Administrator and tenant security administrators can perform these operations for all data masking scenarios.
-
Workspace Administrator and workspace security administrators can perform these operations only for the data masking scenarios for which they have permissions.
-
-
Configure a data masking whitelist (create, edit, and delete):
-
Tenant administrators and tenant security administrators can configure whitelists for all data masking scenarios.
-
Workspace Administrator and workspace security administrators can configure whitelists only for the data masking scenarios for which they have permissions.
-
To perform these operations, you must be granted the required role permissions. For more information about authorization, see Workspace-level module permissions and Global module permissions.
Entry point for data masking rule configuration
Log on to the DataWorks console. In the target region, click in the left-side navigation pane. On the page that appears, click Go to Security Center.
In the left-side navigation pane, click and then click Try Now to access Data Security Guard.
NoteIf your Alibaba Cloud account is already authorized, you are directed to the Data Security Guard homepage.
If your Alibaba Cloud account is not authorized, you are redirected to the Data Security Guard authorization page. To use Data Security Guard features for the first time, go to , select Data Security Guard in the pop-up dialog, and then complete the authorization.
-
In the navigation pane on the left, choose to go to the Data Masking Management page.
-
In the left-side pane, select a data masking scenario. Then, click Masking Rule on the right to create a rule for the scenario.
-
Dynamic data masking: The rule configuration is similar for all dynamic masking scenarios. This topic uses the Data Development/Data Map display masking scenario as an example. For more information about the configuration, see Create a dynamic data masking rule: Data Development/Data Map display masking scenario.
-
Static data masking: For more information about the configuration, see Create a static data masking rule: Data integration static masking scenario.
-
Create a dynamic data masking rule: Data Development/Data Map display masking scenario
-
Select a data masking scenario.
On the Data Masking Management page, set Data Masking Scenario to . Then, click Masking Rule on the right.
-
Create a data masking rule.
-
In the Create Masking Rule dialog box, configure the parameters for the rule.
-
-
Select a sensitive field and specify a rule name.
Parameter
Description
Sensitive field type
Select the type of field to which this data masking rule applies.
-
You can select a built-in sensitive field type or a custom sensitive field type that you created in Sensitive Data Detection. For more information about how to add a sensitive field, see Sensitive data detection rules.
-
If you have created a data masking rule for the same scenario, DataWorks filters out the sensitive field types that are already used to prevent inconsistent masking rules for the same sensitive field in the same scenario.
Masking Rule Name
By default, this parameter is the same as Sensitive field type. You can also specify a custom name. The rule name must be unique.
-
-
Configure data masking scenarios.
Select the scenarios to which the data masking rule applies. By default, the scenario that you selected in Step 1 is used. You can change the scenario or add more scenarios as needed.
-
Configure a data masking method.
DataWorks provides data transformation methods such as Format-preserving encryption, Mask, HASH encryption, String Replacement, Range transformation, Round, and Set to null. You can select a method based on your requirements.
Format-preserving encryption (formerly pseudonymization algorithm)
Format-preserving encryption replaces a value with a masked value that has the same characteristics. The format of the data remains the same after masking. The following table describes the parameters for this data masking rule.
Parameter
Description
(Optional) Data watermark
A data watermark provides data traceability. If a data breach occurs, the watermark can help you locate the potential source of the breach. You can enable or disable Data watermark as needed.
NoteThe data watermark feature is available only in DataWorks Enterprise Edition.
Desensitization characteristic value
Different masking feature values correspond to different masking policy rules. This means that for the same source data, different masking feature values produce different masked results. If the masking feature value is the same, the same source data will produce the same masked data.
For example, if the raw data is a123:
-
If you set the masking feature value to 0, the data is masked as b124.
-
If you set the masking feature value to 1, the data is masked as c234.
The default value is 5. The value can range from 0 to 9.
Replace Character Set
If the detection rule for the selected Sensitive field type is not a built-in rule, you must configure Replace Character Set. After you configure a replacement character set, any character in the set will be replaced with another character of the same type.
For example, if the sensitive data before masking consists of digits from 0 to 3 and letters from a to d, the masked data will also consist of digits and letters within that range.
NoteCharacters in the character set are replaced with characters from the same range. The replacement character set supports uppercase letters, lowercase letters, and digits. Separate multiple characters with commas (,). Chinese characters are not supported. If the data to be masked does not conform to the character set range, it will not be masked.
Mask
The mask method conceals part of the information by replacing characters at specific positions with asterisks (*). When you use this method, you must select a masking mode. DataWorks provides several built-in masking modes and supports custom modes.
Parameter (select one)
Description
Recommended Methods
Select a recommended masking method from the drop-down list. The available masking methods vary depending on the field to be masked.
DataWorks has three built-in masking methods. They include showing only the first and last characters, showing only the first three and last two characters, and showing only the first three and last four characters. Select an option from the drop-down list as needed.
Custom
This provides a more flexible way to configure masking. You must configure whether to mask each segment from left to right and specify the number of characters to mask (or not to mask). You can add up to 10 segments. At least one segment is required, and there must be exactly one segment set to Remaining Characters.
For example, mask the first 3 characters and do not mask the remaining characters.
HASH encryption
When you use HASH encryption for data masking, you must configure the parameters described in the following table.
Parameter
Description
Data watermark
A data watermark provides data traceability. If a data breach occurs, the watermark can help you locate the potential source of the breach. You can enable or disable Data watermark as needed.
NoteThe data watermark feature is available only in DataWorks Enterprise Edition.
Encryption Algorithm
The options include MD5, SHA256, SHA512, and SM3.
Salt value
Set the salt value for each encryption algorithm. The default value is 5. The value can range from 0 to 9.
NoteA salt is a specific string that is inserted. In cryptography, salting is the process of inserting a specific string at a fixed position in a password. This makes the hashed result different from the result of hashing the original password.
Character replacement
The String Replacement method replaces characters at a specified position with characters that you choose. The following table describes the parameters for this data masking rule.
Parameter
Description
(Required) Replacement position
From the drop-down list, you can select Replace all, Replace first 3 characters, or Replace last 4 characters. You can also select Custom to define the replacement position.
If you set Replacement position to Custom, you can define custom segments. You must define the segments from left to right and configure the number of characters to replace and the replacement method for each segment. You can add up to 10 segments. At least one segment is required, and there must be exactly one segment set to Remaining Characters.
(Required) Replacement Method
The options include Random replacement, Sample value replacement, and Fixed value substitution.
-
Random replacement: Randomly replaces characters at the corresponding positions. The number of characters remains the same after replacement.
-
Sample value replacement: You must select a sample library. The values from the selected sample library are used to replace the characters at the corresponding positions.
-
Fixed value substitution: In the Replacement value text box, enter the replacement characters (any characters, 1 to 100 characters in length, cannot contain null characters). The entered value is used to replace the characters at the corresponding positions.
Range transformation
The Range transformation method applies only to numeric data. It masks data within a specified numeric range to a fixed value. You can add a minimum of 1 and a maximum of 10 ranges.
Parameter
Description
Original numeric range [m,n)
The numeric range of the data before masking. The value must be greater than or equal to 0 and can have up to two decimal places.
Masked numeric value
The value after masking. The value must be greater than or equal to 0 and can have up to two decimal places.
Round
The Round method applies only to numeric data.
Parameter
Description
Raw data type
Only numeric types are supported.
Keep the number of decimal places
You can keep 0 to 5 decimal places. The remaining part is rounded. For example, if the original value is 3.1415 and you choose to keep 2 decimal places, the masked value is 3.14.
Set to null
When you use the Set to null method, the corresponding sensitive field is set to an empty string.
-
-
-
Verify the masking result.
In the Sample Data text box, enter sample data to be masked. The data can be 0 to 100 characters in length. Then, click Validation. The masked data is returned in the Masking Effect field.
-
Click Save or Save to create the data masking rule.
-
After you create the data masking rule:
-
For dynamic data masking scenarios, you can configure a whitelist for the rule. Whitelisted users can view raw data within a specified period. For more information about how to add a user to a whitelist, see Configure a whitelist for a data masking rule (for dynamic data masking only).
-
By default, data masking rules are disabled after they are created. You must manually enable the rules for them to take effect in the relevant scenarios. For more information about how to change the status of a rule, see Enable or disable a data masking rule.
Create a static data masking rule: Data integration static masking scenario
-
On the Data Masking Management page, set Data Masking Scenario to . Then, click + Data Masking Rule on the right.
-
Create a data masking rule.
-
In the Create Masking Rule dialog box, configure the parameters for the rule.
At the bottom of the dialog box, you can verify the masking result. Enter sample data in the Sample data field and click Verify Masking. The masked result is displayed in the Masking effect area.
-
Select a sensitive data type and specify a rule name.
Parameter
Description
Sensitive Data Type
-
Select Existing: Select an existing sensitive data type (either built-in or custom) as needed.
-
Add Type: Enter a name for the sensitive data type. The name must be unique and cannot be the same as an existing type.
NoteBuilt-in sensitive data types include the following: Mobile phone number, ID card number, Bank card number, Email_Built-in, IP, License plate number, Postal code, Landline number, MAC address, Address, Name, Company name, Ethnicity, Zodiac sign, Gender, and Nationality.
Masking Rule Name
By default, this parameter is the same as Sensitive Data Type. You can also specify a custom name. The data masking rule name must be unique.
-
-
Configure a data masking method.
DataWorks supports three data masking methods: Pseudonym, Hash, and Mask. You can select the method that best suits your needs.
Alias
Pseudonymization replaces a value with a masked value that has the same characteristics. The format of the data remains the same after masking. Only some existing fields support pseudonymization.
-
If the selected Sensitive Data Type is a built-in type, such as Mobile phone number, ID card number, Bank card number, Email_Built-in, IP, License plate number, Postal code, Landline number, MAC address, Address, Name, or Company name, you must configure the Security domain.
Security domain: The value is an integer from 0 to 9. Each security domain uses a different set of masking policy rules. As a result, the same source data is masked differently depending on the security domain used. For example, if the raw data is a123, setting the security domain to 0 masks the data as b124, while setting it to 1 masks the data as c234. If the security domain is the same, the same source data always produces the same masked result.
-
If the selected Sensitive Data Type is not a built-in type, you must configure the Replace Character Set.
Replace Character Set: Replaces characters with other characters of the same type. The replacement character set can contain uppercase letters, lowercase letters, and digits. Use a comma (,) to separate multiple characters. Chinese characters are not supported. Data that does not match the specified character types is not masked. For example, if the original sensitive data consists of digits from 0 to 3 and letters from a to d, the masked data will also consist of digits and letters from that same range.
Hashing
This method encrypts raw data into fixed-length data. The Hashing method requires you to select a Security domain.
Security domain: The value can range from 0 to 9. Each security domain has a different set of masking policy rules. Therefore, applying different security domains to the same source data produces different masked results. Conversely, applying the same security domain to the same source data always produces the same masked result.
For example, if the raw data is a123:
-
If you set the security domain to 0, the data is masked as b124.
-
If you set the security domain to 1, the data is masked as c234.
Mask
The Mask method conceals part of the information by replacing characters at specific positions with asterisks (*). When you use this method, you must select a masking mode. DataWorks provides several built-in masking modes and supports custom modes.
-
Recommended Methods: For some fields, you can select a recommended masking method from the drop-down list. The available masking methods vary depending on the field. DataWorks provides three built-in masking methods. These methods show only the first and last characters, the first three and last two characters, or the first three and last four characters. You can select one as needed. For some existing fields, you can only select the default method.
-
Custom: Provides a flexible way to configure masking. You can configure each segment from left to right, specifying whether to mask it and the number of characters to mask or retain. You can add up to 10 segments. At least one segment is required, and exactly one segment must be set to Remaining Characters.
-
Example 1: Mask the first three characters and do not mask the remaining characters.
-
Example 2: The last 3 digits are masked, and the remaining digits are unmasked.
-
-
-
-
Verify the masking result.
In the Sample Data text box, enter sample data to be masked. The data can be 0 to 100 characters in length. Then, click Verify Masking. The masked data is returned in the Masking Effect field.
-
Click Confirm to create the data masking rule.
-
After you create the data masking rule:
-
By default, data masking rules are disabled after they are created. You must manually enable the rules for them to take effect in the relevant scenarios. For more information about how to change the status of a rule, see Enable or disable a data masking rule.
-
After you create a data integration masking rule, you can use the rule when you create a real-time synchronization task for a single table. For more information, see Configure data masking.
Configure a whitelist for a data masking rule (for dynamic data masking only)
For dynamic data masking scenarios, you can configure a whitelist of users for a data masking rule. After the rule is enabled, whitelisted users are not affected by the rule and can view raw data during a specified period.
Before you create a whitelist, you must add the users that you want to add to the whitelist to a user group. For more information about how to configure a user group, see Configure a user group.
To add a whitelist, perform the following steps:
-
On the Data Masking Management page, click Whitelist Configuration.
-
In the upper-right corner, click Allowlist.
-
In the Create Whitelist dialog box, configure the parameters.
Note-
You cannot configure whitelists for Hologres engine layer masking or Data integration static masking scenarios.
-
After you set the effective period for a whitelist, sensitive data that meets the whitelist conditions is not masked during the specified period.
The following table describes the parameters.
Parameter
Description
Sensitive field type
You can only select sensitive field types that are enabled for the current data masking scenario.
User group scope
Select a configured user group. You can select up to 50 user groups. After a user group is added to the whitelist, the accounts in the user group can retrieve the raw data before masking. For more information about how to configure a user group, see Configure a user group.
Effective Time
Set the effective period for the whitelist as needed. You can choose a short-term or permanent period. Short-term options include 30 days, 90 days, 180 days, and 365 days. You can also set a custom period, which can start on the current day or a future date.
If a user queries sensitive information outside the effective period of the whitelist, the data will continue to be masked.
NoteIf you select a short-term period, the data will not be masked from the current time until the specified number of days has passed.
-
-
Click Save to complete the whitelist configuration.
Enable or disable a data masking rule
On the Data Masking Rule tab, click the Status switch for a data masking rule to set its status to Effective or Failure.
After the status is set, you can edit, delete, or view the details of the rule.
-
You cannot Delete or Edit an active desensitization rule. You must first set the rule to Failure. Before you do, you must check whether any related tasks use the rule and contact a security administrator to confirm.
-
In the Failure state, you can edit or delete the rule, but you cannot modify the Sensitive Data Type or Masking Rule Name.
-
After you make changes, you can set the status to Effective. Tasks that use this rule can then continue to perform data masking.
Examples of data masking rule applications
-
After you create a data integration masking rule, you can use the rule when you create a real-time synchronization task for a single table. For more information, see Configure data masking.