DataWorks provides a variety of ready-to-use level-1 data masking scenarios. If these data masking scenarios cannot meet your requirements for finer-grained data masking, you can use level-1 data masking scenarios to configure level-2 data masking scenarios based on your business requirements. This topic describes how to create a data masking scenario.
Descriptions of data masking scenarios
DataWorks provides dynamic data masking scenarios, such as masking of displayed data in DataStudio and Data Map, masking of displayed data in DataAnalysis, data masking at the MaxCompute compute engine layer, and data masking at the Hologres compute engine layer. DataWorks also provides the scenario of static data masking in Data Integration. The preceding data masking scenarios are level-1 data masking scenarios, which are fixed and cannot be created, modified, or deleted. DataWorks provides a default level-2 data masking scenario for each level-1 data masking scenario. You can modify the default level-2 data masking scenario based on your business requirements or create a level-2 data masking scenario. The following table describes level-1 and level-2 data masking scenarios.
The operations that you can perform on different level-2 data masking scenarios vary in the DataWorks console.
You can configure a maximum of two levels of data masking scenarios.
Level-1 data masking scenario | Level-2 data masking scenario | Description |
Masking of displayed data in DataStudio and Data Map |
|
Note E-MapReduce (EMR) does not support masking of displayed data in DataStudio. Hologres does not support masking of displayed data in DataStudio and Data Map. |
Masking of displayed data in DataAnalysis | The sensitive data in the query results returned by using the SQL Notes feature of DataAnalysis is masked based on the data masking rules that you configure. | |
Data masking at the MaxCompute compute engine layer | Data that is queried by using the MaxCompute CLI, MaxCompute client (odpscmd), or LogView is masked based on the data masking rules that you configure at the display layer. In this data masking scenario, data at the storage layer of the compute engine remains unchanged. For information about the best practices for data masking at the MaxCompute compute engine layer, see Sample practice for performing underlying data masking on MaxCompute projects. | |
Data masking at the Hologres compute engine layer |
| When you query Hologres data in DataStudio, sensitive data is masked based on the data masking rules that you configure. Note Data masking at the Hologres compute engine layer does not support pseudonym-based data masking or configuration of a whitelist for a data masking rule. If you use the pseudonym-based data masking method, sensitive data is masked by using *** in this data masking scenario. |
Static data masking in Data Integration | You cannot configure level-2 data masking scenarios. | This type of data masking scenario is suitable for masking offline data in Data Integration. In this data masking scenario, sensitive data is recognized and masked based on the configured data masking rules when data is being synchronized. After data masking is complete, the data is stored in the specified database location. |
Permission management
Add, modify, and delete a data masking scenario:
The tenant administrator and tenant security administrator can select all workspaces of the tenant.
The workspace administrator and workspace security administrator can select only the workspaces on which they have permissions.
View a data masking scenario: Only the tenant administrator, tenant security administrator, workspace administrator, and workspace security administrator can view a data masking scenario.
You must be assigned the required role to perform the preceding operations. For more information about authorization, see Manage permissions on workspace-level services and Manage permissions on global-level services.
Entry point for configuring a data masking scenario
Go to the DataStudio page.
Log on to the DataWorks console. In the left-side navigation pane, choose . On the page that appears, select the desired workspace from the drop-down list and click Go to DataStudio.
Click the
icon in the upper-left corner, choose , and then click Try now to go to the Data Security Guard page. NoteIf your Alibaba Cloud account is granted the required permissions, you can directly access the homepage of Data Security Guard.
If your Alibaba Cloud account is not granted the required permissions, you are redirected to the authorization page of Data Security Guard. You can use the features of Data Security Guard only after your Alibaba Cloud account is granted the required permissions.
In the left-side navigation pane, choose . The Data Masking page appears.
In the Masking Scene section, click Add new scene.
Configure a data masking scenario
In the Create a new desensitization scene panel, perform the following operations:
Select a level-1 data masking scenario and create a level-2 data masking scenario.
Select a level-1 data masking scenario based on your business requirements and enter a name for the level-2 data masking scenario that you want to create.
Select a data range.
Select a compute engine type and the workspace to which you want to apply the data masking scenario. The data masking scenario takes effect only for the data in the selected workspace.
Optional. Select a user group range.
If you want to apply the data masking scenario to specific users, you can create a user group for the users and select the user group. For information about how to configure a user group, see Create and manage user groups.
NoteBy default, no user group is selected. This indicates that the configured data masking scenario applies to all users within the current tenant.
Click Confirm.
What to do next
After you configure the data masking scenario, you can create a data masking rule based on the scenario. For more information, see Create a data masking rule.