DataWorks:New user guide

Limitations

• Applicable users: This feature is available to users of DataWorks Standard Edition, Professional Edition, or Enterprise Edition who have enabled the new data security features in Security Center.

• Supported regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), China (Ulanqab), China (Shenzhen), China (Chengdu), China (Hong Kong), and Japan (Tokyo).

• Supported compute engines: MaxCompute and Hologres.

Prerequisites

• The DataWorks tenant has not completed the Sensitive Data Protection Operational Guidelines.

• The Alibaba Cloud account or a RAM user that you use must meet one of the following conditions:

  • The Alibaba Cloud account or RAM user is attached with the AliyunDataWorksFullAccess policy.

  • The Alibaba Cloud account or RAM user is assigned the tenant security administrator role of DataWorks.

  • The Alibaba Cloud account or RAM user is assigned the tenant administrator role of DataWorks.

Start the sensitive data protection operational guidelines

You can access sensitive data in one of the following ways:

Log on to the DataWorks console. In the top navigation bar, select the desired region. In the left-side navigation pane, choose Data Governance > Security Center. On the page that appears, click Go to Security Center.

In the pop-up window, select Sensitive Data Protection as the Security Center type. The system will default to the Security situation > Security Overview.

Configure the data identification task guidance

1. Select an industry template

   Click Preview to view the data classification and categorization details of a template. Select a suitable template, and then click Next step.

   Note

   • After you select an industry template, you cannot change it.

   • Based on the template, you can add more sensitive data types, customize data classification and categorization, and disable data types that do not apply.

2. Configure identification tasks

   Create a single task that uses a specified account to sample and detect data in a specified project. The task assesses the classification and categorization of each field. The parameters are described below:

   Parameter	Description
   Task Name	The name of the task.
   Task Type	The task guide supports only Single Task. After you complete the guide, you can create an auto triggered task on the Data Classification and Categorization page.
   Identification range	The scope of data that the detection task covers. The minimum scope is a single data table.
   Sampling quantity	The amount of data to sample from each column during task execution. A larger sample size improves detection accuracy but increases task duration. The maximum sample size is 200.
   Data sampling using	During task execution, DataWorks can only use the specified account to access data. If the specified account does not have the required permissions, data sampling and detection will fail. Note Ensure that the specified account has permissions to access the table names, column names, column descriptions, and column data within the specified detection scope.

   After you configure the parameters, click Next step to proceed to Set Masking Rules.

3. Set desensitization rules

   After the masking rules take effect, users see only masked data when they access sensitive data from Data Studio, DataAnalysis, or Data Map in DataWorks.

   • Based on the industry template you selected, DataWorks enables masking rules for some data types by default. You can modify these rules later on the Sensitive Data Protection > Data desensitization page.

   • DataWorks data masking policies support whitelists. Users in a whitelist can view raw data when they access sensitive data. You can configure whitelists later on the Sensitive Data Protection > Data desensitization page.

   Parameter	Description
   Desensitization Policy Name	The name of the policy.
   Effective user range	The users for whom the masking policy is effective. Both RAM users and RAM roles are supported. A whitelist takes effect only if the specified RAM users and RAM roles are included in it.
   Effective Project Scope	The projects to which the resources belong. When a user accesses these projects, the masking rules are applied.
   Effective Workspace	The DataWorks workspaces where the masking policy is effective when users perform data development or data analysis.

   Note

   • Data Studio and DataAnalysis: The desensitization policy takes effect only when all three conditions (Effective user range, Effective Project Scope, and Effective Workspace) are met.

   • DataWorks Data Map: The desensitization policy takes effect only when two conditions (Effective user range and Effective Project Scope) are met.

   After you set the masking rules, click Next to go to the Set Risk Detection Rules page.

4. Set up risk detection rules

   DataWorks can detect security risks based on user data access behavior. You can enable check items based on your security requirements. You can also customize security risk check items on the Security situation > Security risk page. After you configure the risk detection rules, click Submission to start and initialize the data detection task.

   Note

   After you follow the data identification task guidance, the data security initialization starts. This process takes about 1 to 3 minutes. Please wait.

   Before you click Submission, you can abort the guide configuration at any time (you will need to restart the configuration from the beginning). After you click Submission, the guide task runs immediately and cannot be revoked.

Next steps

• Data classification and categorization

• Data masking

• Data lineage

• Security risks

• Sensitive data access