configuration of data masking rules, types of data masking scenarios, introduction to data masking capabilities - DataWorks

DataWorks provides multiple built-in level-1 data masking scenarios. If these scenarios do not meet your requirements, you can create custom level-2 scenarios based on the level-1 scenarios. This topic describes how to create a data masking scenario.

Introduction to data masking scenarios

DataWorks provides static and dynamic data masking scenarios.

Dynamic data masking: When you query sensitive data, the data is masked in real time and the masked results are displayed on the query page. This includes scenarios such as Masking of displayed data in DataStudio and Data Map, Masking of displayed data in DataAnalysis, Data masking at the MaxCompute engine layer, and Data masking at the Hologres engine layer.
Static data masking: Masks data before it is stored in a specified database location. An example is the Static data masking in Data Integration scenario.

The dynamic data masking scenarios provided by DataWorks, such as Masking of displayed data in DataStudio and Data Map, Masking of displayed data in DataAnalysis, Data masking at the MaxCompute engine layer, and Data masking at the Hologres engine layer, and the static data masking scenario Static data masking in Data Integration are all level-1 scenarios. These are fixed scenarios that you cannot add, edit, or delete. For each level-1 scenario, DataWorks provides a default level-2 data masking scenario. You can edit the default level-2 scenario or create a new one based on your requirements. The following table describes these scenarios.

Note

The operations for different level-2 scenarios vary. For more information, refer to the instructions on the user interface.
You can configure a maximum of two levels of data masking scenarios.

Level-1 data masking scenario	Level-2 data masking scenario	Description
Masking of displayed data in DataStudio and Data Map	Maximum number of scenarios: 30. Supported operations: You can customize level-2 scenarios. The scenario name can contain any characters and must be 1 to 30 characters in length.	Masks data that you query in DataStudio and Data Map based on the configured data masking rules. Data scope: MaxCompute and EMR engines. Masks sensitive data in the query results of the SQL Query feature in DataAnalysis based on the configured data masking rules. Note The sensitive data masking rules for the DataStudio/Data Map scenario take effect only after you enable data masking for the workspace. For the EMR engine, the Data Map scenario is not affected by the workspace data masking settings. The data masking rules take effect immediately after you configure them. The workspace setting to enable data masking is shared between the DataStudio/Data Map and DataAnalysis scenarios. If you change the setting for one scenario, the setting for the other scenario is also changed. Hologres does not support masking of displayed data in DataStudio and Data Map.
Masking of displayed data in DataAnalysis		Masks sensitive data in the query results of the SQL Notes feature in DataAnalysis based on the configured data masking rules. Data scope: MaxCompute engine. Note The sensitive data masking rules for the DataAnalysis scenario take effect only after you enable data masking for the workspace. The workspace setting to enable data masking is shared between the DataStudio/Data Map and DataAnalysis scenarios. If you change the setting for one scenario, the setting for the other scenario is also changed.
Data masking at the MaxCompute engine layer		Masks data at the presentation layer when you query data from the MaxCompute command line, the client (odpscmd), or Logview. This method does not change the data in the storage layer of the engine. Data scope: Applicable to the OPS data engine. Workspace and user group scope: Select one or more items from the drop-down list. For more information about the best practices for dynamic data masking in MaxCompute, see Best practices: Use underlying data masking in MaxCompute. Note The data masking at the MaxCompute engine layer complements the application-layer scenario masking. To enable this engine-layer masking scenario, you must also configure data masking rules for the corresponding fields. Otherwise, the application-layer masking rules apply.
Data masking at the Hologres engine layer	Maximum number of scenarios: 1. Supported operations: You can only edit the default level-2 scenario. You cannot add new level-2 scenarios.	Masks sensitive data when you query Hologres data in DataStudio based on the configured data masking rules. Data scope: Hologres engine. Note Data masking at the Hologres engine layer does not support pseudonym-based data masking or whitelists. If you configure pseudonym-based data masking for this scenario, sensitive data is masked as "***".
Static data masking in Data Integration	Editing and configuring level-2 scenarios are not supported.	This scenario is typically used to mask offline data during data integration. Sensitive data is identified and masked based on the configured rules before it is stored. The masked data is then stored in the specified database location.

Access control

To add, edit, and delete data masking scenarios:
- Tenant administrators and tenant security administrators can select all workspaces within the tenant as the data scope.
- Workspace administrators and workspace security administrators can select only the workspaces for which they have permissions as the data scope.
To view data masking scenarios: Only tenant administrators, tenant security administrators, workspace administrators, and workspace security administrators can view data masking scenarios.

You must have the required role permissions to perform these operations. For more information about how to grant permissions, see Manage permissions on workspace-level modules and Manage permissions on global-level modules.

Go to the data masking scenario configuration page

Go to the DataStudio page.
Log on to the DataWorks console. In the top navigation bar, select the desired region. In the left-side navigation pane, choose Data Development and O&M > Data Development. On the page that appears, select the desired workspace from the drop-down list and click Go to Data Development.
Click the icon in the upper-left corner. Then, choose All Products > Data Governance > Data Security Guard. On the page that appears, click Try Now to go to the Data Security Guard page.
Note
- If your Alibaba Cloud account is granted the required permissions, you can directly access the homepage of Data Security Guard.
- If your Alibaba Cloud account is not granted the required permissions, you are redirected to the authorization page of Data Security Guard. You can use the features of Data Security Guard only after your Alibaba Cloud account is granted the required permissions.

In the navigation pane on the left, click Rule Configuration > Data Masking Management.
In the Data Masking Scenario section on the left, click Add Scenario.

Configure a data masking scenario

In the New Data Masking Scenario dialog box, configure the parameters:

You can select and create a desensitization scenario.
Select a primary scenario and enter a name for the secondary scenario. The name must be 1 to 30 characters long and can contain any characters.
Select a data scope.
Select the workspaces to which you want to apply the data masking scenario. The scenario takes effect only for the data in the selected workspaces.
(Optional) Select a user group scope.
If you want the data masking scenario to apply only to specific users, you can create a user group for these users and select that user group. For more information about how to configure a user group, see Configure a user group.
Note
By default, this parameter is left empty. This indicates that the data masking scenario applies to all users within the current tenant.
Click Confirm to complete the configuration.

What to do next

After you configure the data masking scenario, you can create a data masking rule based on the scenario. For more information, see Create a data masking rule.