All Products
Search

This Product

    DataWorks:New user guide

    Document Center

    DataWorks:New user guide

    Last Updated:Mar 27, 2026

    Complete the initial configuration of sensitive data protection in DataWorks by following this task guide.

    By the end of this guide, you will have:

    • Selected a sensitive data management type for your DataWorks tenant.

    • Chosen an industry template to classify your sensitive data.

    • Created a data identification task that samples and scans your data.

    • Applied masking rules to control how sensitive data is displayed.

    • Enabled risk detection rules to monitor data access behavior.

    Limitations

    • Editions: Standard Edition, Professional Edition, and Enterprise Edition — provided you have enabled the new data security features in Security Center.

    • Supported regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), China (Ulanqab), China (Shenzhen), China (Chengdu), China (Hong Kong), Japan (Tokyo), Singapore, and Indonesia (Jakarta).

    • Supported compute engines: MaxCompute and Hologres.

    Prerequisites

    Before you begin, make sure you have:

    • A DataWorks tenant that has not yet completed the sensitive data management type selection.

    • An Alibaba Cloud account or RAM user that meets one of the following conditions:

      • Attached with the AliyunDataWorksFullAccess policy.

      • Assigned the tenant security administrator role of DataWorks.

      • Assigned the tenant administrator role of DataWorks.

    Select sensitive data protection

    1. Log on to the DataWorks console. In the top navigation bar, select the target region. In the left-side navigation pane, choose Data Governance > Security Center. On the page that appears, click Go to Security Center.

    2. In the pop-up window, select Sensitive Data Protection as the Security Center type. The system defaults to Security situation > Security Overview.

    Important

    This selection is required only during initial access and cannot be changed once confirmed.

    image

    Step 1: Select an industry template

    Click Preview to view the data classification and categorization details of a template. Select a suitable template, then click Next step.

    Note

    After you select an industry template, you cannot change it.

    After selection, you can:

    • Add more sensitive data types.

    • Customize data classification and categorization.

    • Disable data types that do not apply to your organization.

    Step 2: Configure the data identification task

    Create a single task that uses a specified account to sample and detect data in a specified project. The task assesses the classification and categorization of each field.

    Parameter Description
    Task Name The name of the task.
    Task Type The task guide supports Single Task only. After completing the guide, create auto-triggered tasks on the Data Classification and Categorization page.
    Identification range The scope of data the task covers. The minimum scope is a single data table.
    Sampling quantity The amount of data to sample from each column during task execution. A larger sample improves detection accuracy but increases task duration. Maximum: 200.
    Data sampling using The account used to access data during task execution. If the account lacks the required permissions, sampling and detection fail. Make sure the account has access to table names, column names, column descriptions, and column data within the detection scope.

    After configuring the parameters, click Next step to proceed to Set Masking Rules.

    Step 3: Set masking rules

    After masking rules take effect, users see only masked data when accessing sensitive data from Data Studio, DataAnalysis, or Data Map.

    • DataWorks enables masking rules for some data types by default, based on the industry template you selected. Modify these rules later on the Sensitive Data Protection > Data desensitization page.

    • Masking policies support whitelists. Users in a whitelist can view raw data. Configure whitelists later on the Sensitive Data Protection > Data desensitization page.

    Configure the following masking policy parameters:

    Parameter Description
    Desensitization Policy Name The name of the policy.
    Effective user range The RAM users and RAM roles for whom the policy is effective. A whitelist takes effect only if the specified RAM users and RAM roles are included in it.
    Effective Project Scope The projects whose resources are subject to masking when users access them.
    Effective Workspace The DataWorks workspaces where the policy is effective during data development or data analysis.

    When masking takes effect:

    • Data Studio and DataAnalysis: All three conditions must be met — Effective user range, Effective Project Scope, and Effective Workspace.

    • Data Map: Two conditions must be met — Effective user range and Effective Project Scope.

    After setting the masking rules, click Next to go to the Set Risk Detection Rules page.

    Step 4: Set risk detection rules

    DataWorks detects security risks based on user data access behavior. Enable check items based on your security requirements. Customize security risk check items later on the Security situation > Security risk page.

    After configuring the risk detection rules, click Submission to start and initialize the data detection task.

    Warning

    Before clicking Submission, you can abort the guide at any time — but you must restart the configuration from the beginning. After clicking Submission, the guide task runs immediately and cannot be revoked.

    Note

    Initialization takes about 1 to 3 minutes.

    What's next